Configuring Let's Encrypt and Nginx on EC2
Let’s Encrypt is a new Certificate Authority that offers free TLS/SSL certificates. Now that it’s entered its public beta stage, I decided to experiment with installing and manually configuring a Let’s Encrypt certificate on a EC2 instance running Ubuntu 14.04, Ruby on Rails, and Nginx.
To get started, download the Let’s Encrypt client and run the built-in installer.
Update your Nginx configuration (probably
/etc/nginx/sites-available/default) to allow web access to all files in the
.well-known/ directory of your web root. This endpoint will be accessed by Let’s Encrypt to ensure that you actually have control over your domain.
After updating your Nginx configuration, restart your server.
Add the following to
/etc/letsencrypt/cli.ini. The webroot plugin will automatically generate the files necessary for the ACME protocol. Remember to use the correct web root directory (if you’re using Capistrano, this will probably be
/home/deploy/yourapp/current/public) and domain names.
We can now begin the certificate authorization process.
Update your Nginx configuration to take advantage of your newly-issued certificate.
After restarting your web server, your site should now be accessible via HTTPS.
Let’s Encrypt certificates expire after 90 days to ensure security and to encourage automation. We can automate the certificate renewal process by creating a simple monthly cronjob in
Test your renewal script. If you see a success message, you’re set!