DAVID ZHANG
<< Back
Enable HTTPS with Let's Encrypt

crispgm.com has enabled HTTPS as its default protocol, with the power of Let’s Encrypt.

Why HTTPS?

When properly configured, an HTTPS connection guarantees three things:

  • Confidentiality. The visitor’s connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.

  • Authenticity. The visitor is talking to the “real” website, and not to an impersonator or through a “man-in-the-middle”.

  • Integrity. The data sent between the visitor and the website has not been tampered with or modified.

A plain HTTP connection can be easily monitored, modified, and impersonated.

Quoted from https://https.cio.gov/faq/#what-information-does-https-protect?

About Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

Contribute to letsencrypt on GitHub.

About ACME

ACME Protocol

https://github.com/ietf-wg-acme/acme
https://github.com/letsencrypt/acme-spec

Boulder

Boulder is an ACME-based CA, written in Go.

https://github.com/letsencrypt/boulder

Practice

Documentation

https://letsencrypt.readthedocs.org/

Get Certificate

As the letsencrypt-nginx is not fully developed, I choose certonly to generate SSL certificate and configure nginx manually.

./letsencrypt-auto certonly --webroot -w /path/to/webroot --email admin@example.com -d example.com

Nginx Configuration

Configure nginx.conf

ssl_certificate      /etc/letsencrypt/live/crispgm.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/crispgm.com/privkey.pem;

ssl_session_timeout  1440m;     

Others are as default.

Certificate Renewal

Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

Performance

Actually, crispgm.com is a full static site. Almost no difference on performance. :D

In The End

Safe journey on crispgm.com :)