Update December 5th, 2015 Forge now supports Lets Encrypt - Taylor's tweet - this makes the below unnecessary.

What is Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.

If you've ever had to purchase an SSL certificate, you've found that it can be expensive. It can be difficult to generate your CSR, keys, compile a complete certificate chain, ensure your ciphers are correct and so on and so forth.

What Let's Encrypt does is make the process of getting a valid certificate configured on your server really simple.

Getting setup

The first step is to download the Let's Encrypt client onto your Forge server. Login as the forge user, and make sure you have your sudo password handy (it'll be in the configuration email you received when your server was setup, unless you've subsequently changed it.)

[email protected]:~$ git clone https://github.com/letsencrypt/letsencrypt
[email protected]:~$ cd letsencrypt/
[email protected]:~/letsencrypt$ ./letsencrypt-auto
Bootstrapping dependencies for Debian-based OSes...

This process will perform an apt-get update and install the necessary dependencies for the letsencrypt client to run. On a Forge-provisioned server, this step will ultimately fail the first time around as at the time of this post, the client does not yet have the ability to automatically configure nginx, which Forge-provisioned servers use by default.

No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command

From here, you'll need to do a little bit of extra manual work. The first thing you'll need to do is stop nginx. This is going to stop your sites from being served, so be mindful of the time of day you run this and who might be accessing your site.

The remainder of this process shouldn't take more than five minutes.

[email protected]:~/letsencrypt$ sudo service nginx stop

Generating your certificate

Note: the --server parameter will be provided to you in the beta acceptance email from Let's Encrypt and may vary from what is below, so be mindful if you run into issues.

[email protected]:~/letsencrypt$ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 2048
Updating letsencrypt and virtual environment dependencies......
Running with virtualenv: sudo /home/forge/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 2048
[sudo] password for forge: 

You'll be asked to enter an email address, which is used for urgent notices and lost key recovery. This process will only need to be completed the first time you run letsencrypt. It's best you use a suitable address like [email protected] for such notices.

The next step will be to enter in your domain names, separated by either a comma or space. When finished, press OK.

Screen Shot 2015-11-06 at 10.38.22 AM.png

You'll then be given a path to the full certificate chain.

- Congratulations! Your certificate and chain have been saved at /path/to/your/fullchain.pem. Your cert will expire on YYYY-MM-DD. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.

Installing your certificate

The last step you need to complete is to install the newly generated certificate chain. You can do this via Forge, but seeing as we are already logged into our server, we'll continue here.

[email protected]:~/letsencrypt$ sudo vim /etc/nginx/sites-available/yourdomain.com

The first thing you'll want to do is configure your server to listen for your domain name on port 80 (regular HTTP) and redirect requests to port 443 (HTTPS).

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

Next, we'll configure your server to listen on port 443.

server {
    listen 443 ssl;
    server_name yourdomain.com;
    root /home/forge/yourdomain.com/current/public;

    ssl_certificate /path/to/your/fullchain.pem;

    # The privkey.pem file is in the same path as your fullchain.pem
    # by default, so you should need only change 'fullchain' to 'privkey'
    ssl_certificate_key /path/to/your/privkey.pem;

    # The rest of your Forge configuration for an existing site will be here!
    # ...
}

If you were previously using an SSL certificate that was configured by Forge, I have found that it is ok to comment out (with a # at the start of the lines) the existing ssl_certificate and ssl_certificate_key lines. I'm not sure if there is a way to do this via the Forge website.

Verifying your certificate

You'll need to start nginx again:

[email protected]:~/letsencrypt$ sudo service nginx start

Now check your site is working in your browser. Open up http://yourdomain.com and make sure that it redirects to https://yourdomain.com. You should observe that you now have the green padlock, and your certificate will be signed by Lets Encrypt Authority X1.

Screen Shot 2015-11-06 at 10.53.10 AM.png

That's all there is to it!

Conclusion

There are lots of other things you can do to get an A rating for your SSL configuration, which I may discuss in a later post.

If you're keen to do some extra reading about SSL configuration, checkout this post on the Mozilla wiki, which talks more about appropriate ciphers and configuration for various browser support needs.

If you have any questions about getting up and running, or you have an existing Forge site with custom configuration, feel free to leave a comment or tweet me and I'll be happy to help you out.