Skip to content

Instantly share code, notes, and snippets.

@andrewlkho
Last active July 22, 2024 16:24
Show Gist options
  • Save andrewlkho/a7920cd2d019f823332f to your computer and use it in GitHub Desktop.
Save andrewlkho/a7920cd2d019f823332f to your computer and use it in GitHub Desktop.
Implementing HTTPS on NFSN (nearlyfreespeech.net) hosting using Let's Encrypt

These instructions are for implementing HTTPS on a NFSN-hosted static site using a certificate from Let's Encrypt. The certificate is generated manually on a separate computer.

Start off by installing the letsencrypt client. This requires sudo privileges and will install a bunch of packages:

% curl -O https://dl.eff.org/certbot-auto
% chmod +x ./certbot-auto
% ./certbot-auto

Generate the certificate. This will require you to publish some challenge responses on NFSN. I find it easiest to use tmux with letsencrypt running in one window and an SSH session to NFSN in another:

% sudo certbot-auto certonly \
> --email [email protected] \
> --rsa-key-size 4096 \
> --authenticator manual \
> --domain domain.com \
> --domain www.domain.com

Then send the PEM files to your NFSN server and use the nfsn command the parse them:1

% sudo cat /etc/letsencrypt/live/domain.com/{cert,chain,privkey}.pem |
> ssh ssh.phx.nearlyfreespeech.net nfsn -i set-tls

Note that your NFSN ssh server may be different from mine, and can be found on your "Site Information" page in the control panel. Once that's been done, everything should automatically be redirected to the HTTPS version of the site. It may be helpful to use scheme-relative URLs if you have a mixture of HTTP/HTTPS external content. Don't forget to put a reminder in your todo list to renew the certificate; currently, Let's Encrypt certificates have a 90-day lifetime.


1 Previously, I have been uploading the PEM files to /home/protected/ssl (these can be deleted once everything is done) and then submitting a free assistance request on NFSN with the short name of the site and a brief message e.g. "Please parse the TLS for my site example". However, NFSN provide a way of doing this without troubling their support, using the nfsn command installed on their servers.

@BradyDale
Copy link

As of January 2017, they are testing out a shell script to automatically set things up.

From your SSH prompt:

tls-setup.sh

Worked for me!

see post on the member forum

I could not make heads or tales of the instructions above, but this did seem to work for me as well. I don't know why they don't just plainly state that this exists in their FAQ.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment