Let's Encrypt is now a public beta, so you can go ahead and give it a try. This story is a historical record for personal use, so I don't have to do research from scratch when I set it up on another machine.

Support for Nginx automation is currently experimental, so it needs to be done by hand and the process is not as straightforward as it is for Apache, for example.


git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/


Stop nginx, so letsencrypt can bind its server to port 80 and use the ACME protocol to obtain a certificate.

Go through the basic steps of the ACME wizard:

/etc/init.d/nginx stop
./letsencrypt-auto certonly -d mysite.com


At this point, the certificates are written to /etc/letsencrypt/live/mysite.com (the last directory matches the domain name, of course).

Edit your nginx config to make it use the new certificate and key. The example above only lists the sections relevant to security, you'll have to integrate them into your configuration, so it is assumed you have at least a rudimentary understanding of nginx.conf syntax.


server {
listen 443;
server_name mysite.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

# Tighten your security levels
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/letsencrypt/dhparams.pem;
}


server {
listen 80;
server_name mysite.com;

#always redirect HTTP to HTTPS
return 301 https://$host$request_uri;

}


The settings are in place, start the server with /etc/init.d/nginx start.

Go to your site and have a look at the result. Observe that when you go to http://mysite.com it redirects you to the https version automagically.

Then have a look at it from a different perspective, by running the SSLlabs test tool.

To top it up a notch, generate your own mathemagics for Diffie-Hellman with OpenSSL. This process might take around 5 minutes, be prepared to wait.

openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048

When it is done, uncomment the Diffie-Hellman parameters line in the nginx configuration and restart it again
#ssl_dhparam /etc/letsencrypt/dhparams.pem;

As a result, you'll get an A at the SSL labs test. Nice job, and it cost you nothing!

Beware: the certificate expires in 90 days, you will have to renew it later.

References:

• Let's Encrypt manual
• explanation of the weak Diffie-Hellman problem
• another perspective on the same issue

If you want to get a better picture on digital certificates and PKI in general, consider reviewing some of the video materials from my classes.