Because I decided to add multiple sub-domains to better administer libertatum.net (e.g. blog, www) this meant the single ssl certification I had was insufficent, and now that LetsEncrypt is live, time to https all the things!

Install LetsEncrypt (running ./letsencrypt-auto –help installs letsencrypt)

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

Turn off nginx

$ sudo service nginx stop

Generate certificates for the domain and each subdomain

$ /letsencrypt-auto certonly --standalone \
  -d libertatum.net \
  -d box.libertatum.net \
  -d blog.libertatum.net \
  -d www.libertatum.net

That generates the certificates in /etc/letsencrypt/live/libertatum.net/:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Mail-in-a-box uses box.libertatum.net by default, thus the certs for that subdomain belong in /home/user-data/ssl/, however for all the other domains a directory will need to be created:

$ sudo mkdir /home/user-data/ssl/{libertatum.net,blog.libertatum.net,www.libertatum.net}

Symlink ssl_certificate.pem and privkey.pem files to the right places:

$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/libertatum.net/ssl_private_key.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/www.libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/www.libertatum.net/ssl_private_key.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/fullchain.pem \
  /home/user-data/ssl/blog.libertatum.net/ssl_certificate.pem
$ sudo ln -s /etc/letsencrypt/live/libertatum.net/privkey.pem \
  /home/user-data/ssl/blog.libertatum.net/ssl_private_key.pem

Restart nginx and bask in the glory of secure http!

$ sudo service nginx start