These instructions are for implementing HTTPS on a NFSN-hosted static site using a certificate from Let's Encrypt. The certificate is generated manually on a separate computer.
Start off by installing the letsencrypt client. This requires sudo privileges and will install a bunch of packages:
% curl -O https://dl.eff.org/certbot-auto
% chmod +x ./certbot-auto
% ./certbot-auto
Generate the certificate. This will require you to publish some challenge responses on NFSN. I find it easiest to use tmux with letsencrypt running in one window and an SSH session to NFSN in another:
% sudo certbot-auto certonly \
> --email me@domain.com \
> --rsa-key-size 4096 \
> --authenticator manual \
> --domain domain.com \
> --domain www.domain.com
Then send the PEM files to your NFSN server and use the nfsn command the parse them:1
% sudo cat /etc/letsencrypt/live/domain.com/{cert,chain,privkey}.pem |
> ssh ssh.phx.nearlyfreespeech.net nfsn -i set-tls
Note that your NFSN ssh server may be different from mine, and can be found on your "Site Information" page in the control panel. Once that's been done, everything should automatically be redirected to the HTTPS version of the site. It may be helpful to use scheme-relative URLs if you have a mixture of HTTP/HTTPS external content. Don't forget to put a reminder in your todo list to renew the certificate; currently, Let's Encrypt certificates have a 90-day lifetime.
1 Previously, I have been uploading the PEM files to /home/protected/ssl (these can be deleted once everything is done) and then submitting a free assistance request on NFSN with the short name of the site and a brief message e.g. "Please parse the TLS for my site example". However, NFSN provide a way of doing this without troubling their support, using the nfsn command installed on their servers.
Instead of submitting the assistance request you can also just run
cat privkey.pem cert.pem chain.pem | nfsn -i set-tlsOtherwise, thanks for the tutorial, worked great!