/ digital ocean

Using SSL on a Digital Ocean Ubuntu droplet with Let’s Encrypt

Update: Since I wrote this blog, the let's encrypt team has been hard at work, and the way to install let's encrypt described below might be outdated for your setup.

You might however find some useful info in this article, so please read along.


Let’s Encrypt recently came out of it's closed beta, and is available for the public. If you don't know what Let's Encrypt is, here is how they describe themselves.

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

Basically, they provide you with free SSL certificates.

Note: I'm not a system-engineer, and my knowledge of servers is not the best. In this post I'll explain the steps I took to make my site available trough https. There might be better ways to do this, if so, feel free to let me know in the comments.

To install let's encrypt on your Digital Ocean droplet, connect to it trough ssh or use the online console access in your droplet's dashboard.

First start by installing git, and clone the Let's Encrypt repository. You can choose where you clone this repository, I chose to put it in my /opt directory.

apt-get install git
cd /opt  
git clone https://github.com/letsencrypt/letsencrypt  
cd letsencrypt  

In order to run the letsencrypt-auto command, we'll need stop nginx, keep in mind that your website won't be available while nginx isn't running. I advice you to do this at night, or any other time your website can be down for a few minutes. Once nginx is stoped, we're ready to run the letsencrypt-auto command.

sudo service nginx stop
./letsencrypt-auto certonly

This will ask you for which domains, and subdomains you want to generate a certificate, and generate the certificate in the /etc/letsencrypt/live/yourwebsite.com folder.

Once the certificate is created, head on over to the /etc/nginx/sites-available/ folder. In this folder you'll find a default file. If you chose to use a predefined droplet, it might be that there is another file in here. For this website I chose to create a ghost droplet, so the config which is actually used is in my ghost file.

Let's open this file with vi:

vi /etc/nginx/sites-available/default  

Now add the following code:

server {  
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;

    server_name yourwebsite.com; # Replace with your domain

    root /usr/share/nginx/html;
    index index.html index.htm;

    client_max_body_size 10G;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/yourwebsite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourwebsite.com/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://localhost:2368; # You might need to change this port
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

Make sure to change the yourwebsite.com with your domain.

The only thing left to do is start your nginx again.

sudo service nginx start
Once nginx has started again, you should be able to go to https://yourwebsite.com.

My blog with https

Bonus: If you want to redirect all http-calls to https, you can add the following line at the bottom of the nginx config for your http domain;

server {  
    listen 80;
    server_name yourwebsite.com;

    ...

    return 301 https://$host$request_uri$is_args$args;
}

Edit: Digital Ocean now has an article on how to setup Let's Encrypt on apache. In this article they describe how to setup a cron-job which checks if your certificate is still valid, and renew it if it's not. I highly suggest you read this article, and create such a cron-jon!

The script referenced in this article is made to run in an Apache environment, I've adapted it to run on Nginx. You can find my edited version here.

Sam Bellen

Sam Bellen

Frontend developer at madewithlove - Co-organizer at Fronteers Belgium - Conference speaker - Cat lover

Read More