Trollofix Blog

HTTPS with TLS and Letsencrypt

Feb 3, 2016

Introduction / Motivation

I finally made it. I started this blog. It's possible, that this is the first and last "article" published here.

After struggling for some years, and feeling bad for not doing this: I made it. I finally deployed TLS on this vserver I'm using, and wanted to share, how easy that was. I even reached an A+ rating on ssllabs.

But first things, first. I wanted to use letsencrypt for my TLS certificates, as there is, at least at the moment no compareable alternative.


If you want to offer encrypted connections to your website you can, in principle, go to any of the big certificate authorities (CAs) and exchange money for signature under your certificate.

Or, you could use cacert. This requires some more effort, but less money, as you need to find assurers (in your area) who verify your identity. After catching enough points from your assurers, you can get your certificate signed.

Both options have some significant drawbacks.

The first is: effort or money. It requires either time or money. Both ressources are very limited for myself, or to put in in other words: I was not willing to spend a three digit numer of euros per year, or spend two weeks searching for assurers.

The second drawback is anonymity: Both methods require to prove your identity to strangers, who are not required to prove theirs. I don't like that concept very much.

The third, and most significant drawback for cacert is: Their root certificate is not included in most browsers and operating systems by default, which means, that browsers will show a warning, which might confuse inexperienced users.

Another alternative would have been startssl. They offer free certificate signatures for consumers, but they charge your for revocation. Which means: If your server gets compromised, you have to pay them, to invalidate your certificate. Meh.


For over a year, letsencrypt a startup from somewhere made headlines, as they annouced to offer free certificates for everyone. And that's what they do! It's easy, fast, and more or less anonymous (I don't have to prove my identity to them, and they don't have to prove theirs to me. Nice!).

Materials and Methods

Get your Signed Certificate

First I installed the letsencrypt server on my server.

git clone /opt/letsencrypt

Secondly, I hade to stop my nginx.

/etc/init.d/nginx stop

Then, the letsencrypt tool is started. Follow the instructions displayed.

/opt/letsencrypt-auto certonly --standalone

If successful, the tool creates two files on your system. The certificate, and the key.

Deploy TLS with nginx

I follwed the instructions by raymii, plentz' github and ssllabs to achieve an A+ rating on ssllabs.

What I forgot in the first place, but made a difference in the rating was:

You have to announce HSTS for at least 180 days, otherwise, your grade will be capped to B max.

Furthermore, I had to generate my own Diffie-Hellman-Parameters

cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 4096

and put those in the nginx config

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Additional Improvements

I read up, if I should use a www-subdomain or not on no-www and yes-www. The arguments on yes-www appeared more convincing to me, that's why I made this forward

server {
    listen 80;
    return 301$request_uri;

And did the same for the no-www ssl subdomain, which is a bit nasty, because you have to write all that ssl config twice. I should write some template for this.

Anyways, now, every request to either

is forwarded to Done.

Alternative Methods

If, for security/trust/whatever reasons you don't want to use the official server, you could use the scripts from lukas2511' github or hlandau's github. It did not test either of them but recieved positive feedback for both.

The latter implements an ACME-server, which in principle could be used to get certificates from other CAs as well. At the moment letsencrypt is unique provider of ACME infrastructure.