Letsencrypt is completely free, just like StartSSL, but it will only give out certificates that are valid for 90 days. Luckily you can renew your certificate just as easily as creating one.
Let’s talk about how to configure Nginx to get that precious A+ on SSL Labs.
Setting up Letsencrypt
First we need to install Letsencrypt. Well, not really because there’s nothing to install. Letsencrypt is very portable.
Requesting a certificate
There’s a few ways to request a certificate because it needs to be verified during the request process. Because I already have a web server running on port 80 I use the webroot method which places a small file in your webroot.
This will request a certificate and put it in /etc/letsencrypt/live/domain.xyz.
Generating DH params
Before actually configuring Nginx we’ll need to set up our DH params:
Setting up Nginx
Put this in your Nginx.conf or something that’s included.
I’ll assume you already have a vhost set up and we’re just going to add the SSL configuration.
To test your set up you can go to SSL Labs. You should be getting an A+.
Renewing a certificate
The letsencrypt-auto binary has a renew account which I use in a cron job. It will loop through all of your certificates and check if a renewal is pending.
I recommend you run this command every week to make sure all of your certificates renew in time.