CrownCloud Wiki

CrownCloud - Internet Services

User Tools

Site Tools


letsencrypt_with_nginx

To setup letsencrypt with Nginx, first you will need to install prerequisites

apt-get install sudo
apt-get install nano

Get the letsencrypt certificate file, and run it

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto

If you haven't already, install Nginx

sudo apt-get update
sudo apt-get install nginx

Make the letsencrypt client file executable

sudo chmod a+x /usr/local/sbin/certbot-auto

Add the .well-known directory to your nginx configuration to make sure it will be accessible to the letsencrypt client

sudo nano /etc/nginx/sites-available/default

Adding the following location line to the server block in your Nginx configuration

location ~ /.well-known {
                allow all;
        }

Check the Nginx configuration, for any errors that could have occured.

sudo nginx -t

Restart Nginx

sudo service nginx restart

Generate the SSL certificate using the letsencrypt client (Note: Change the webroot directory if necessary, and change example.com and www.example.com to the domain you would like to have SSL enabled on.

certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

If everything was successful, you should end up seeing something like this

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your
   cert will expire on 2017-01-03. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

To further increase the security of your website, you should also generate a strong Diffie-Hellman group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

To add the SSL certificate to your website, you will again need to edit the configuration file

sudo nano /etc/nginx/sites-available/default

Find the server block, and comment out the lines that configure the server to listen on port 80.

Next, you will need to configure your server to listen on port 443. (Note: Edit all instances of example.com to your own domain)

        listen 443 ssl;

        server_name example.com www.example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

To allow the strongest SSL cipers and protocols, also add this to your configuration file under what we just added.

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

(Optional) To redirect all traffic to SSL, you will need to add this into your server block under server_name

return 301 https://$host$request_uri;

Test your Nginx configuration file, and restart nginx

sudo nginx -t
sudo service nginx restart

To renew all of your certificates at once when they expire, you can run

certbot-auto renew

And finally, you will have SSL on your website for free.

letsencrypt_with_nginx.txt · Last modified: 2016/10/05 06:21 by jordan