Hello All, Today I am gona discuss how to secure you website with free ssl provided by
Let's Encrypt with
web server on an ubuntu machine.Here are some few steps you have to follow to do this:
Install Let’s Encrypt Client
You have to install
Let's Encrypt Client to generate a ssl certificate for your site. The best way to install Let’s Encrypt Client is download it from the EFF’s download site.
sudo wget https://dl.eff.org/certbot-auto
You should now have a copy of
certbot-auto in the
- Make the script executable by running command
sudo chmod a+x /usr/local/sbin/certbot-auto
Setup nginx to get a certificate
The Webroot plugin works by placing a special file in the
/.well-known directory within your document root, which can be opened
(through your web server) by the
Let's Encrypt client for validation. Depending on your configuration, you may need to explicitly allow
access to the
To ensure that the directory is accessible to certbot-auto for validation, change the nginx configuration, as like:
suno nano /etc/nginx/site-enabled/(default or your config file)
- Add following block of code inside the file.
sudo nginx -tto test that nginx configs are right or not.
- Restart nginx by running
sudo service nginx restart
Generate a certificate
certbot-auto certonly -a webroot --webroot-path=PATH_OF_APP_ROOT -d domain.com -d www.domain.com
- Enter email when prompt for email.
- Select agreement when it ask.
- After obtaining the cert, you will have the following PEM-encoded files.
Generate Strong Diffie-Hellman Group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- This may take a few minutes but when it’s done you will have a strong DH group at
Configure SSL certificate on nginx
sudo nano /etc/nginx/sites-available/(default or your config file)
- Make some changes like:
sudo service nginx restartto restart nginx.
Verify SSL certificate
https://www.ssllabs.com/ssltest/analyze.html?d=doamin.comin your browser to verify rating of certificate.
Let’s Encrypt has some limitations like:
- It’s not work for subdomains.
- It’s only for 90 days. If you want to secure you site for long time then you have to setup auto-renewal for your site. You can easily configure `Let’s Encrypt auto-renewal.
Setup auto renewal
- Enable crontab
sudo crontab -e
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx