Installing a free Let’s Encrypt SSL certificate on Server Pilot

I recently needed to create a live WooCommerce site for testing the API. But I needed SSL. And up until now, a proper SSL certificate cost money. Money I didn’t want to spend for a test site. But Let’s Encrypt recently entered public beta. And you know what’s cool about Let’s Encrypt? It’s a new certificate authority that is completely free – for anybody.

I couldn’t get the automated setup to run on my Server Pilot-powered Digital Ocean droplet (get $25 free credit with that link and I get $10 – win/win), so I had to do it manually. The good news is that it’s actually pretty easy. I’ll take you through it.

 

Screen Shot 2016-01-07 at 4.36.20 PM

Start by SSHing into your server. You may need to first ssh with the serverpilot user and then update the password for the root user, as at least in my case I needed to use root to create the certificate. So if you have any permission issues, try the root user.

Let’s say your server’s IP is 128.199.1.1.

ssh serverpilot@128.199.1.1

You then need to download Let’s Encrypt (instructions here updated in September 2016 based on this comment).

wget https://dl.eff.org/certbot-auto

If you’re using the serverpilot user, Let’s Encrypt will now be in the serverpilot user’s directory – /srv/users/serverpilot/.

You now need to stop nginx running.

sudo service nginx-sp stop

Time to create your free certificate!

./certbot-auto certonly

It’ll update itself and then ask you for the domain name(s).

 

Screen Shot 2016-01-07 at 4.48.23 PM

You could enter multiple domains, like if you wanted www and non-www certificates for your site, you’d enter: mysite.com, www.mysite.com.

It may also ask you some other info.

A moment later and you’ll be the proud owner of some new SSL certificates! Time to start nginx again:

sudo service nginx-sp start

You now need to modify your nginx configuration to use these certificates. First go to the folder that contains them.

cd /etc/nginx-sp/vhosts.d/

You then need to create a new file for it. If your app name is mysite for example, and when running ls in that folder you see a file called mysite.conf, you’ll want to type the following:

nano mysite.ssl.conf

Add the following to that file, changing mysite to your app name.

Save it, with ctrl + o and then exit with ctrl + x.

Restart nginx:

sudo service nginx-sp restart

And you’re done! Congratulations. You just beat the system. Sort of.

The one negative is that the SSL certificates expire every 3 months. I believe you’ll just need to follow the first couple steps and create a new SSL certificate with Let’s Encrypt. That should be all though, and I’m sure there will be auto-installation soon so it’s completely automated. You could also write a script and cron job to automate renewal. If you do, please let me know and I’ll share it here.

Renewing

Updated 21/03/2016 – Well, the original certificates that inspired this post were about to expire, and Let’s Encrypt kept emailing me to warn me, so I thought I better figure out how to renew them. Good news. It’s pretty easy and will take you just a moment.

Start by SSHing into your server. Go to where we installed Let’s Encrypt before, likely possibly by doing the following:

cd ~/srv/users/serverpilot/

You now need to stop nginx running.

sudo service nginx-sp stop

Then run through the certificate creation again. This will open up the Let’s Encrypt setup – just enter your domains like you did before.

./certbot-auto certonly

Once that’s done, your certificates are valid for another 3 months.

But wait! You need to restart nginx or nothing will work.

sudo service nginx-sp start

I still haven’t bothered to try write a script to auto renew it. There should be some floating around by now, so if you’re desperate / have a lot certificates, search around and you should find something.