[Ubuntu 16.04 / Nginx] Let's Encrypt
#1
As Sudo non-root user.

First, update the local package lists,

Code:
sudo apt-get update

sudo apt-get install letsencrypt 

Unlike the Apache plugin, which is here.

Plugins that only obtain certificates, and don't install them, are called as "authenticators" because they are used to authenticate whether a server should be issued a certificate.

I'll show you how to use the Webroot plugin to obtain an SSL certificate.

The Webroot plugin works by placing a special file in the 
Code:
/.well-known
directory within your document root, which can be opened (through your web server) by the Let's Encrypt service for validation. Depending on your configuration, you may need to explicitly allow access to the 
Code:
/.well-known
directory.

To ensure that the directory is accessible to Let's Encrypt for validation, let's make a quick change to our Nginx configuration. By default, it's located at 
Code:
/etc/nginx/sites-available/default

We'll use vim to edit it:

Code:
sudo vim /etc/nginx/sites-available/default
Inside the server block, add this location block:
Code:
       location ~ /.well-known {
               allow all;
       }
Save and exit ( :wq ).

Check your configuration for syntax errors:
Code:
sudo nginx -t
If no errors are found, restart Nginx with this command:
Code:
sudo systemctl restart nginx

now to get the domains http://www.example.com and example.com authenticated
Code:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com

enter your recovery email and accept the TOS.

Let's Encrypt creates symbolic links to the most recent certificate files in the 
Code:
/etc/letsencrypt/live/your_domain_name

I will configure your web server to use 
Code:
fullchain.pem
 as the certificate file, and 
Code:
privkey.pem
 as the certificate key file.

now to generate a Strong Diffie-Hellman Group
Code:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This may take a few minutes but when it's done you will have a strong DH group at 
Code:
/etc/ssl/certs/dhparam.pem
let's create a new Nginx configuration snippet in the 
Code:
/etc/nginx/snippets

 directory.

To properly distinguish the purpose of this file, we will name it 

as ssl-domain.name.conf

Code:
sudo vim /etc/nginx/snippets/ssl-example.com.conf


we just need to set the 
Code:
ssl_certificate
 directive to our certificate file and the 
Code:
ssl_certificate_key
 to the privkey key.

Code:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
When you've added those lines, save and close the file ( :wq ).

parameters we will set can be reused in future Nginx configurations, so we will give the file a general name:

Code:
sudo vim /etc/nginx/snippets/ssl-params.conf

copy the code:
Code:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
and fill it in the file.

Before we go any further, let's back up our current server block file:

Code:
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

Now, to make adjustments:

Code:
server {
   listen 80 default_server;
   listen [::]:80 default_server;
   server_name example.com www.example.com;
   return 301 https://$server_name$request_uri;
}

server {

   # SSL configuration

   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
   include snippets/ssl-example.com.conf;
   include snippets/ssl-params.conf;

#etc . . .
}

now to test the conf.
Code:
sudo nginx -t

if successful hit in
Code:
sudo systemctl reload nginx

now to set up autorenewals 

Code:
sudo crontab -e

and enter the following lines

Code:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx

[Image: img.php?userid=19870&txt=1]

A huge shoutout to GalaxyHostPlus for the stellar OpenVZ VPS
Follow me on Mastodon
View me on IRC @SlashNET

Reply
#2
Very easy to follow tutorial. Good job. I am using nginx with let's encrypt on my server. Let's encrypt is cool.
Reply
#3
There is also an official plugin which works for nginx on the Certbot/LE client.
To use it, just use Certbot like the following -
Code:
certbot --nginx
You can select which websites you want to secure from there.
hi, I'm tmwc.
I'm not active here anymore.
Reply
#4
I feel like doing custom gives you much greater option that just running automated cert installation for example i tend to generate 4096bits cert and i like to extensively edit the nginx.conf for many things
Thanks to FreeVPS & Host4Fun for VPS 4
Reply
#5
@The Man Who Can letsencrypt is certbot , just renamed in 16.*
@Kotagami , I don't directly edit the nginx conf I just put a file in the snippets folder
And include it in the nginx.conf

[Image: img.php?userid=19870&txt=1]

A huge shoutout to GalaxyHostPlus for the stellar OpenVZ VPS
Follow me on Mastodon
View me on IRC @SlashNET

Reply
#6
Is it support with cPanel/WHM and Varnish Cache module ? because I have noticed that ports are not working correctly for https protocol. If yes please share tutorial
Reply
#7
@YouStable

cPanel has Let's Encrypt addons. Use them. This guide is for webmasters who run their own setup without a control panel. Combining this with cPanel will lead to issues because cPanel has everything highly customized and has massive configuration differences.
Reply
#8
@Hidden Refuge

Yeah thats correct even varnish not allowing to run https connections in a easy way but yes with few teaks cPanel + Varnish + SSL works well
Reply
#9
(2016-11-30, 3:04:06 am)YouStable Wrote:  @Hidden Refuge

Yeah thats correct even varnish not allowing to run https connections in a easy way but yes with few teaks cPanel + Varnish + SSL works well

That is still more prone to breaking, even with the tweaks. As HR said, it's probably much better just to use the native(!) cPanel AutoSSL module.
-karatekidmonkey (https://codeco.pw)
Thanks to ZXPlay for my VPS!
http://www.islc.eu.org/fvps/index.php?userid=17742

natcp-verify-token-17742


Recheck
Reply
#10
Thanks for the tutorial with all the steps clearly presented.

Most of my websites are running without any control panel. And I use also Ubuntu and nginx most of the time. So this tutorial is particularly suitable for my uses.
Reply




Users browsing this thread: 1 Guest(s)