Let’s Encrypt – Encrypt All The Things!

I’ve recently switched over a bunch of sites, including this blog, to using SSL.

I got my SSL certificate through a very interesting project called “Let’s Encrypt“. The goal of the project is to increase the amount of encryption used on the internet by offering free, trusted domain validated certificates. Right now they are still in a limited beta stage, but the go live date is currently set to 3rd of December.

It seems to me that the recommended way to make use of Let’s Encrypt certificates is to have the Let’s Encrypt client is on each and every server that will make use of the certificates. This is in order for the authentication to work properly, to make automation easier and to have the ability to renew your certificates easily.

I didn’t really want to have the client on every server, so instead I added a proxy pass in my front-end Nginx boxes as follows:

location /.well-known/ {
 proxy_pass http://letsencrypt-machine.local/.well-known/;
 proxy_redirect http://letsencrypt-machine.local/ http://$host:$server_port/.well-known/;
}

I have this block before my / proxy pass, so any requests for /.well-know/ will go to the machine I have the Let’s Encrypt client running.

Next, I ran the client to request the certificate as follows:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d blog.hamzahkhan.com

Magic! I now have a freshly signed certificate, key, and certificate chain sitting in /etc/letsencrypt/live/blog.hamzahkhan.com/.

I’m not sure if there is a better way to do this, but it works for me, and I’m happy with it.

The only down side is that the certificates are only valid for 90 days after which you have to renew them. I believe this is one of the reason that it is recommended to have the client on every machine as it makes the renewal process a lot less work.

That said, I don’t have such a large number of sites that managing it manually would be difficult, so I’m just going to stick with my way for now. 🙂