I set it up using Let’s Encrypt, a new certificate authority that’s been generating a lot of buzz lately.
And for good reason: SSL certificates typically cost money and have a lot of manual, tedious installation steps.
Let’s Encrypt certificates are not only free, but many of those aforementioned tedious installation steps are automated.
The old and busted CA way of doing things
Let’s look back to my post on setting Discourse up on HTTPS.
Here’s what I had to do:
- SSH into server
- Generate a CSR and private key
- Copy CSR to clipboard
- Buy a certificate at a certificate authority
- Paste CSR in a box on the CA’s website
- Pick an email address to verify your domain ownership
- Wait for the email to arrive
- Click a confirmation link in the email when it arrives
- Wait a few more minutes for the CA to send you all the certificate files
- Bundle the certificate files
- Save the bundle on your server
- Reference the bundle and restart your web server for everything to take effect
Let’s Encrypt is a breath of fresh air in comparison.
The new hotness CA way of doing things
- Make sure your domain is pointing to the same server (it should be anyway).
- Install the Let’s Encrypt client on your server (aka clone a GitHub repository).
- Run the client, answer a few questions like what domain you want a certificate for.
- Adjust Nginx server block to reference your free, instantly generated SSL certificate. Restart.
And voila, that’s it. No more messing around with confusing certificate files and waiting around for emails to come through. Everything is pretty much instantaneous.
But StartSSL was already free!
You’ll notice I mentioned this in my Discourse over SSL post, but I still used a paid alternative. This is because StartSSL’s “free” certificates aren’t free when you need to re-issue them. They’re a commercial entity, and need to make money somehow.
This isn’t just about price. Let’s Encrypt is a non-profit organization whose sole purpose is making the internet a more secure place.
Not to mention, you still have to go through the “old and busted” process as outlined above if using StartSSL. It’s not exactly the most user-friendly process in the world.
How you can use a Let’s Encrypt certificate
First, you’re going to either need to manage your own private server (virtual or otherwise) or have the cooperation of a web host who does.
Considering many web hosts like to “upsell” installing SSL certificates for their customers, and many web hosts are overpriced certificate authorities themselves (*cough* GoDaddy *cough*), I wouldn’t hold your breath on the latter option.
I use an Ubuntu 14.04 VPS running Nginx, provided by Digital Ocean. They provide an excellent tutorial for exactly that.
Remember to set up an auto-renew process, as Let’s Encrypt certificates are only valid for three months at a time.