Yesterday I set up SSL on my Node.js server with LetsEncrypt. I was surprised at how easy the process was, and would recommend it over StartCom SSL, which I tried but was unsuccessful with.

I have a Linux EC2 instance with static IP, hosting API endpoints from a Node server. For this type of setup, it looks like LetsEncrypt offers two options: "webroot" and "standalone". I opted to use the standalone installation method. I temporarily shut down the server and then ran:

./letsencrypt-auto certonly --standalone -d api.notenoughneon.com

This generated 4 files under /etc/letsencrypt/live/api.notenoughneon.com: cert.pem, chain.pem, fullchain.pem, privkey.pem. The Node https server has options for "key" and "cert". I tried plugging in privkey.pem and cert.pem:

 var key = fs.readFileSync('privkey.pem');
 var cert = fs.readFileSync('cert.pem');
 var server = https.createServer({key: key, cert: cert}, app); 

This worked for browsers, but I had issues connecting to 3rd party services (quill.p3k.io). It turned out that I was missing the full "cert chain", which is in fullchain.pem. The file is simply multiple certificates concatenated, including the one in cert.pem. It can be used as-is for the "cert" option:

 var key = fs.readFileSync('privkey.pem');
 var cert = fs.readFileSync('fullchain.pem');
 var server = https.createServer({key: key, cert: cert}, app); 

This resolved the missing cert chain issue. I found this tool helpful for testing the cert chain: https://www.ssllabs.com/ssltest/index.html

Another point to note is that the certs issued by LetsEncrypt expire after 3 months, and are meant to be auto-renewed using a script. I decided to put this off until its time to renew, since LetsEncrypt are developing new features and may have better node integration by then.

References:

• https://letsencrypt.readthedocs.io/en/latest/using.html#standalone
• http://stackoverflow.com/a/32778101
  
• https://github.com/letsencrypt/letsencrypt/issues/608#issuecomment-121083895