summaryrefslogtreecommitdiffstats
path: root/content/blog/2015-12-21-setting-up-lets-encrypt-with-ruby-on-rails-and-freebsd/index.md
blob: 1784881f36c4ce787f9c78849ba3e50e067f7bb3 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
+++
title = "Setting up Let's Encrypt with Ruby on Rails and FreeBSD"
lang = "en"

[taxonomies]
tags = ["FreeBSD", "letsencrypt", "tips & tricks"]

[extra]
author = "harald"
+++

{% figure(img="letsencrypt-logo-horizontal.svg") %}
Let's Encrypt logo.
{% end %}

I've been following [Let's Encrypt] for a while, and the idea is as simple as
it's brilliant! Make it so easy to add a encryption to your webserver setup
that there's really no reson not to. Traditionally this has been both a
cumbersome and potentially expensive investment. At least for smaller stuff
like your average blog or community web site getting a certificate and setting
it all up has been a hassle.

<!-- more -->

So I really like the idea of Let's Encrypt, and since they've just launched
their [public beta program] in time for the renewal of one of my certificates
I decided to give it a spin. The process was surprisingly painless.

The base Let's Encrypt program is already in the [FreeBSD ports collection],
so installing it was as simple as running:

    portmaster -P /usr/ports/security/py-letsencrypt

There was quite a bit of dependencies to be installed, but the ports system
takes care of that, and portmaster helps make the process really smooth. A few
config options and 10 minutes later everything was built and installed.

Next step was to generate the certificates. After a few misses I found the
right invocation:

    sudo letsencrypt certonly --webroot \
        -w /usr/local/www/my_rails_app_dir/current/public/ \
        -d mydomain.com -d www.mydomain.com

Half a minute later I have my certificates in
`/usr/local/etc/letsencrypt/live/mydomain.com`. I just had to update the apache
config and everything worked right away.

The Let's Encrypt website warns that you may have to shut down your webserver
while it does it's job. That was not neccesary in this case. It seems this is
only neccesary if you run with the `--standalone` option. The `--webroot`
and `-w` options on the other hand allows you to specify manually where
`letsencrypt` should put it's challenge files.

The Let's Encrypt server then accesses these files using the regular webserver
you're already running. Since this particular domain runs a [Ruby on Rails]
app deployed using [Capistrano] I ended up with the path above.

I had quite frankly expected that there should be more bumps. For one, this
*is* still a beta, and they do warn that there will be bugs on their website.
Further not all software developed for Linux runs equally smooth on FreeBSD,
but this time there was no need for worrying.

The plugins for apache and nginx are not yet available in the ports tree
however, so I'm running things manually for now.

[Let's Encrypt]: https://letsencrypt.org/
[public beta program]: https://letsencrypt.org/2015/12/03/entering-public-beta.html
[FreeBSD ports collection]: https://www.freebsd.org/cgi/ports.cgi?query=letsencrypt&stype=all
[Ruby on Rails]: http://rubyonrails.org/
[Capistrano]: http://capistranorb.com/