[Ubuntu 16.04 / Nginx] Let's Encrypt
#1
As Sudo non-root user.

First, update the local package lists,

Code:
sudo apt-get update

sudo apt-get install letsencrypt 


Unlike the Apache plugin, which is here.

Plugins that only obtain certificates, and don't install them, are called as "authenticators" because they are used to authenticate whether a server should be issued a certificate.

I'll show you how to use the Webroot plugin to obtain an SSL certificate.

The Webroot plugin works by placing a special file in the 

Code:
/.well-known

directory within your document root, which can be opened (through your web server) by the Let's Encrypt service for validation. Depending on your configuration, you may need to explicitly allow access to the 

Code:
/.well-known

directory.

To ensure that the directory is accessible to Let's Encrypt for validation, let's make a quick change to our Nginx configuration. By default, it's located at 

Code:
/etc/nginx/sites-available/default


We'll use vim to edit it:

Code:
sudo vim /etc/nginx/sites-available/default

Inside the server block, add this location block:

Code:
        location ~ /.well-known {
                allow all;
        }

Save and exit ( :wq ).

Check your configuration for syntax errors:

Code:
sudo nginx -t

If no errors are found, restart Nginx with this command:

Code:
sudo systemctl restart nginx


now to get the domains http://www.example.com and example.com authenticated

Code:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com


enter your recovery email and accept the TOS.

Let's Encrypt creates symbolic links to the most recent certificate files in the 

Code:
/etc/letsencrypt/live/your_domain_name


I will configure your web server to use 

Code:
fullchain.pem

 as the certificate file, and 

Code:
privkey.pem

 as the certificate key file.

now to generate a Strong Diffie-Hellman Group

Code:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This may take a few minutes but when it's done you will have a strong DH group at 

Code:
/etc/ssl/certs/dhparam.pem

let's create a new Nginx configuration snippet in the 

Code:
/etc/nginx/snippets


 directory.

To properly distinguish the purpose of this file, we will name it 

as ssl-domain.name.conf

Code:
sudo vim /etc/nginx/snippets/ssl-example.com.conf



we just need to set the 

Code:
ssl_certificate

 directive to our certificate file and the 

Code:
ssl_certificate_key

 to the privkey key.

Code:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

When you've added those lines, save and close the file ( :wq ).

parameters we will set can be reused in future Nginx configurations, so we will give the file a general name:

Code:
sudo vim /etc/nginx/snippets/ssl-params.conf


copy the code:

Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem; 

and fill it in the file.

Before we go any further, let's back up our current server block file:

Code:
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak


Now, to make adjustments:

Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

server {

    # SSL configuration

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

#etc . . .
}


now to test the conf.

Code:
sudo nginx -t


if successful hit in

Code:
sudo systemctl reload nginx


now to set up autorenewals 

Code:
sudo crontab -e


and enter the following lines

Code:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx

[Image: img.php?userid=19870&txt=1]
Thanks to FREEVPS.us and HostUS for VPS 16
Spoiler: show
[Image: create_badge.php?pass_name=miwilc&badge=2]
#2
Very easy to follow tutorial. Good job. I am using nginx with let's encrypt on my server. Let's encrypt is cool.
#3
There is also an official plugin which works for nginx on the Certbot/LE client.
To use it, just use Certbot like the following -

Code:
certbot --nginx

You can select which websites you want to secure from there.

[Image: show_img.php?userid=18404&vpscount=1]
Want free shells? Click here
Thanks to Hostigation / FreeVPS for VPS 18 Laugh
-Need sysadmin? I'll do it for either BTC or PayPal (USD)-
#4
I feel like doing custom gives you much greater option that just running automated cert installation for example i tend to generate 4096bits cert and i like to extensively edit the nginx.conf for many things
Thanks to FreeVPS Hostigation for VPS 18

[Image: show_img.php?userid=20107&vpscount=1]
#5
@The Man Who Can letsencrypt is certbot , just renamed in 16.*
@Kotagami , I don't directly edit the nginx conf I just put a file in the snippets folder
And include it in the nginx.conf
[Image: img.php?userid=19870&txt=1]
Thanks to FREEVPS.us and HostUS for VPS 16
Spoiler: show
[Image: create_badge.php?pass_name=miwilc&badge=2]
#6
Is it support with cPanel/WHM and Varnish Cache module ? because I have noticed that ports are not working correctly for https protocol. If yes please share tutorial
#7
@YouStable

cPanel has Let's Encrypt addons. Use them. This guide is for webmasters who run their own setup without a control panel. Combining this with cPanel will lead to issues because cPanel has everything highly customized and has massive configuration differences.
#8
@Hidden Refuge

Yeah thats correct even varnish not allowing to run https connections in a easy way but yes with few teaks cPanel + Varnish + SSL works well
#9
(2016-11-30, 3:04:06 am)YouStable Wrote: @Hidden Refuge

Yeah thats correct even varnish not allowing to run https connections in a easy way but yes with few teaks cPanel + Varnish + SSL works well

That is still more prone to breaking, even with the tweaks. As HR said, it's probably much better just to use the native(!) cPanel AutoSSL module.
-karatekidmonkey (https://codeco.pw)
Thanks to ZXPlay and FuzzyHosts for my VPSes!
[Image: show_img.php?userid=17742&vpscount=2]



#10
Thanks for the tutorial with all the steps clearly presented.

Most of my websites are running without any control panel. And I use also Ubuntu and nginx most of the time. So this tutorial is particularly suitable for my uses.




Users browsing this thread: 1 Guest(s)

Switch to mobile version

Sponsors: FuzzyHosts - Ftpit - ZXPlay - GalaxyHostPlus - Verelox- HostUS - HostMada - Host4Fun - Evolution-Host - NodeBlade - HostDare


BitCoin donations: 1DQxbstaTb5SWk6QC2gFeQUTFR64JX4cEo