Let's Encrypt, nginx and Ruby on Rails

Published 16 November 2015 under software, website

Let's Encrypt are currently in closed beta but you can apply to get your domains whitelisted here. After receiving the confirmation email that the domains are whitelisted we can get started installing the SSL certificates!

Here's the steps we took to install the certificates and get an A+ rating from Qualys on https://www.ssllabs.com/ssltest/

First, let's install the Let's Encrypt client:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth

This will ask you to enter your domain names and should then create certificates in /etc/letsencrypt/live/<domain name>

Update nginx configuration:

server {
  server_name afterthoughtsoftware.com;
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/afterthoughtsoftware.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/afterthoughtsoftware.com/privkey.pem;

  ...
}

Next, we generate a strong Diffie-Hellman group (more information here):

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

Update nginx.conf with the following. Note that this won't work with IE6 (according to our google analytics we have no IE6 users).

http {
  ...
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_session_cache shared:SSL:32m;
  ssl_buffer_size 8k;
  ssl_session_timeout 15m;
}

Since we've got our SSL certificates we want people to use them, so let's redirect all http traffic to https by adding a new server block:

server {
  listen 80;
  server_name ~^(www\.)?afterthoughtsoftware\.co(\.uk|m)$;
  return 301 https://afterthoughtsoftware.com$request_uri;
}

Note that you will need to renew your certificates every 90 days but Let's Encrypt advise that you do it every 60 to make sure you have plenty of time for things to go wrong.

Ruby on Rails

Our website uses Ruby on Rails so there are a couple of modifications required to make sure we're properly set up for SSL.

In config/environments/production.rb change force_ssl to true:

config.force_ssl = true

If you're using unicorn or thin as your web server then you'll need to add the following to your location / in your ssl server block to avoid an infinite redirect:

server {
  ...

  location / {
    ...
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

And that's it! We're really looking forward to the full release of Let's Encrypt, it's how SSL should be!