Let’s Encrypt and NGINX

After a long wait Let’s Encrypt if finally in a Beta stage.

After I have received email from them, the installation bit of the email:

Quick Start

To use Let’s Encrypt’s official client to obtain your real certificates, you will need to provide the production API URL on the command line:


When running the Python client (installation directions [1]), be sure to specify the --server argument with the production URL:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto –agree-dev-preview –server \
https://acme-v01.api.letsencrypt.org/directory auth

If you are using a different ACME client, be sure to configure it to use the production URL in order to get valid certificates. Many clients will default to the staging URL.

Full text is available here: https://community.letsencrypt.org/t/beta-program-announcements/1631

And that is pretty much it. But let’s have a closer look at what I did – as instructed I run this command:


Perhaps an oversight on my behalf but I could not see anything saying that the web server must be stopped:

so I stopped the service and tried again:


Quick look to check if the certificates are where they supposed to be:


Last thing remaining is to update Nginx config to point to the newly generated certs:

ssl_certificate   /etc/letsencrypt/live/it.awroblew.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/it.awroblew.biz/privkey.pem;

then reload nginx:

service nginx reload

and job done.

However I have noticed that with the default config the certs were only 2048 bits. I prefer 4096 so some tiny manual config was required – under /etc/letsencrypt/ create file called cli.ini

and type this in:

rsa-key-size = 4096

then, stop nginx and run:


since I have already generated my certs I got this:


hit replace, start nginx and voila job done:


So for me it is goodbye StartSSL and hello Let’s Encrypt!

For reference here is a link to Let’s Encrypt documentation website – https://letsencrypt.readthedocs.org/en/latest/using.html


To ensure that your website is securely running it needs to have https enabled. This short tutorial will list steps necessary to secure NGINX server with a free Class 1 certificate from StartSSL.


1. You have a server running NGINX
2. You have already setup free account with StartSSL
3. You have validated your domain with StartSSL

Prep Work:

Download the StartSSL CA Certificate using wget:
wget https://www.startssl.com/certs/ca.pem

Download the StartSSL Intermediate CA Certificate using wget:
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified CA Certificate file:
cat sub.class1.server.ca.pem >> ca.pem


Private key and Website Certificate

Use the StartSSL™ Control Panel to create a private key and certificate and transfer them to your server.

My naming convention:
Private key: website.com.original.key
Certificate: website.com.crt

Then execute the following steps:

Decrypt the private key by using the password you entered when you created your key:
openssl rsa -in website.com.original.key -out website.com.key

Secure your key:
chmod 600 website.com.key

Create a single file containing your signed certificate and the StartSSL CA certificates for Nginx:

cat website.com.crt ca.pem > website.com.unified.crt

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on;
ssl_certificate /etc/nginx/conf/website.com.unified.crt;
ssl_certificate_key /etc/nginx/conf/website.com.key;

Reload nginx config or restart the service.
And you’re done!