Encrypting your services with Let's Encrypt

What's Let's Encrypt?

It's a certificate authority you can get SSL certificates from automatically, for free.

Alright how do I use it for my forum?

For this example I'll be assuming some kind of PHP forum behind nginx, since that's what I'd expect is common.

Install the let's encrypt client

Like it says in the readme on https://github.com/letsencrypt/letsencrypt

user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt  
user@webserver:~$ cd letsencrypt  
user@webserver:~/letsencrypt$ ./letsencrypt-auto --help  

Set up nginx to do SSL

Put some sensible SSL defaults in /etc/nginx/conf.d/ssl.conf from https://cipherli.st/

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";  
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  
ssl_prefer_server_ciphers on;  
ssl_session_cache shared:SSL:10m;  
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";  
add_header X-Frame-Options DENY;  
add_header X-Content-Type-Options nosniff;  
ssl_session_tickets off; # Requires nginx >= 1.5.9  
ssl_stapling on; # Requires nginx >= 1.3.7  
ssl_stapling_verify on; # Requires nginx => 1.3.7  
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;  
resolver_timeout 5s;  

Add some custom diffie helman parameters because we're cool

ssl_dhparam /etc/nginx/dhparams.pem;  
root@box:/etc/nginx# openssl dhparam -out dhparams.pem 2048  
Generating DH parameters, 2048 bit long safe prime, generator 2  
This is going to take a long time  
...................... etc.

Set up nginx to serve our challenge files

server {  
        listen [::]:80;
        listen      80;

        server_name forums.myalliance.site;

        root   /var/www/forums/;
        index index.html index.htm index.php;

        # Always serve let's encrypt files from this folder
        location /.well-known {
                root   /var/www/forum;
        }

        # keep your old forum setup here for the php and junk
}

Reload nginx and get our SSL certificates

root@box:~# nginx -s reload  
root@box:~# cd letsencrypt/  
root@box:~/letsencrypt# ./letsencrypt-auto certonly --email admin@myalliance.site --webroot -w /var/www/forum/ -d forums.myalliance.site  

With any luck that worked and we now have this:

root@box:~# ls /etc/letsencrypt/live/forums.myalliance.site/  
cert.pem  chain.pem  fullchain.pem  privkey.pem  

Add in the SSL configuration

server {  
        listen [::]:443 ssl ;
        listen       443 ssl ;

        server_name forum.youralliance.site;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/forum.youralliance.site/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/forum.youralliance.site/privkey.pem;

        access_log /var/www/forum/access.log;
        error_log /var/www/forum/error.log;

        root   /var/www/forum;
        index index.html index.htm index.php;

        # insert php settings here for your forum
        location ~ \.php$ {
                # stuff
        }

}

Make http redirect to https unless we're serving challenges

server {  
        listen [::]:80;
        listen      80;

        server_name forum.youralliance.site;

        root   /var/www/forum;

        # Always serve let's encrypt files from this folder
        location /.well-known {
                root   /var/www/forum;
        }

        # Otherwise redirect to https
        location / {
                rewrite     ^(.*)   https://forum.youralliance.site$1 permanent;
        }
}