Recently I was working on adding HTTPS to my website KnapsackPro.com and I’d like to share some tips with you how to configure SSL/TLS in Rails application for free with Let’s Encrypt.
I needed a secure connection for my Rails application API because my gem called knapsack_pro, which is responsible for optimizing test suite split, sends test file names to API where the test suite split happens. I wanted to keep the connection more secure with SSL/TLS.
I was looking for options like buying a cheap certificate for a year but I needed a few certificates for my other domains like main website, API domain, staging website and API staging domain.
A while ago, I read an article on hacker news about Let’s Encrypt. It’s is a new Certificate Authority sponsored by many companies. They are aiming for a few things:
free certificates for everyone
SSL renewal process should be automated (no more buying a certificate every year and manually updating it on the server)
automatic issuance and renewal protocol as an open standard
What differentiates Let’s Encrypt from other Certificate Authorities is that Let’s Encrypt has ninety-day lifetimes for certificates. One of the reasons of ninety-day lifetimes is that it encourages automation. We can’t continue to expect system administrators to manually handle renewals. More explanation can be found here.
What you are going to learn
In this article I’m going to show you how to:
create capistrano tasks to:
register Let’s Encrypt client
authorize domain on Let’s Encrypt
obtain a certificate from Let’s Encrypt
create rake task for certificate renewal process and run it via cron
How to work with Let’s Encrypt
There are multiple Let’s Encrypt clients but we are going to focus on acme-client.
Let’s add the gem to your project:
Remember to run bundle install after that.
Capistrano task to register Let’s Encrypt client
We have to create an account on Let’s Encrypt in order to authenticate our client. The capistrano task will handle that and create a new private key which will be registered on Let’s Encrypt.
When you try to run the task for the second time it will skip registration process because the private key exists.
Thanks to that we will be able to use the task during deployment via capistrano. The task will create a private key and register it on Let’s Encrypt only when that’s necessary.
We also need to ensure that capistrano gem can see our task. Add the line listed below at the end of your Capfile if the line is missing.
Capistrano task to authorize domain on Let’s Encrypt
We have to prove that we are in control of our domain before we are able to obtain a certificate from Let’s Encrypt.
Let’s create another capistrano task for that:
Capistrano task to obtain a certificate from Let’s Encrypt
The last step is to obtain a certificate. We can add a task for that:
Please note that I’m using nginx and my nginx configuration is looking for SSL cert and SSL private key in shared directory. In your case, it might be a different directory. You need to ensure your server like nginx or Apache has enabled SSL and specified the path where to look for the certificate.
Configuration of capistrano so it will work with our tasks
Now we need to add proper configuration variables for our production environment.
Another thing we need to remember of is to ensure our capistrano tasks will be run during deployment. Let’s update deploy configuration:
We need to reload nginx server after we obtain the certificate.
I assume you have the task like nginx:reload or something similar for another HTTP server like Apache.
Create rake task for certificate renewal process
We would like to have an automated process of certificate renewal. In order to do that, we can create a rake task. You may ask why rake task instead of capistrano task? We will use rake task because we would like to run the task via cron every week.
Add certificate renewal task to cron
If you are using whenever gem with capistrano then you can just update schedule file:
We reload nginx server after certificate renewal in order to use a new certificate. That’s it.
Now when everything is ready you can just deploy your code. The first deploy will register a client, authorize domain and obtain the certificate from Let’s Encrypt. It will also add to crontab our rake task responsible for the automated process of certificate renewal.
Hope those tips will help you set up your rails application with free certificates from Let’s Encrypt.