Let’s Encrypt with nginx (and digitalocean)

So if you want to enable a secure communication with your website, one possible way is to use SSL certificates and letsencrypt.org offers them for free.
So what are the steps to use a certificate from letsencrypt to use it on your server running nginx?

The first step is to get the letsencrypt client. For this you need to clone the official repo from github using git. (see the official manual and for installing git see the getting started with installing git guide)

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt 

After successfully cloning the repo you can request a ssl-certificate with the official lets-encrypt client. I use the certonly method, since I use a custom nginx setup (if you use a standard setup, there is a --nginx flag available)

./letsencrypt-auto certonly --standalone --email [YOUR_EMAIL] -d [YOUR_DOMAIN] -d [YOUR_DOMAIN_WITH_WWW]

So for example

./letsencrypt-auto certonly --standalone --email [YOUR_EMAIL] -d hirschmann.io -d www.hirschmann.io

After agreeing the tos and finishing the process, your certificates will be put into /etc/letsencrypt

~ tree /etc/letsencrypt/
|-- archive
|   `-- hirschmann.io
|       |-- cert1.pem
|       |-- chain1.pem
|       |-- fullchain1.pem
|       `-- privkey1.pem
|-- csr
|   `-- 0000_csr-letsencrypt.pem
|-- keys
|   `-- 0000_key-letsencrypt.pem
|-- live
|   `-- hirschmann.io
|       |-- cert.pem -> ../../archive/hirschmann.io/cert1.pem
|       |-- chain.pem -> ../../archive/hirschmann.io/chain1.pem
|       |-- fullchain.pem -> ../../archive/hirschmann.io/fullchain1.pem
|       `-- privkey.pem -> ../../archive/hirschmann.io/privkey1.pem

To configure nginx to use these certificates you need to modify your nginx config. Normaly the config you are looking for should be located in /etc/nginx/sites-enabled.

The easiest way to create a valid and secure configuration is to use the Mozilla SSL Configuration Generator. Simply select nginx as your webserver, your openssl version (check with openssl version) and your nginx version (check with nginx -v).
Then adjust your certificate paths (replace hirschmann.io with your domain):

ssl_certificate /etc/letsencrypt/live/hirschmann.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hirschmann.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/hirschmann.io/chain.pem;

If something is wrong you can always check if your config is valid with for nginx -t -c /etc/nginx/nginx.conf. When the config setup is finished, restart nginx service nginx restart.

Congratulations! You should now have a website with a ssl certificate from letsencrypt!
One final step is to check your ssl configuration with SSLLabs.

A future step would be to automate the certificate renewal process since the certificates from letsencrypt are not valid indefinitely. Here are some interesting articles for further readings on this topic: