Hello All, Today I am gona discuss how to secure you website with free ssl provided by Let's Encrypt with nginx web server on an ubuntu machine.Here are some few steps you have to follow to do this:
Install Let’s Encrypt Client
You have to install Let's Encrypt Client to generate a ssl certificate for your site. The best way to install Let’s Encrypt Client is download it from the EFF’s download site.
cd /usr/local/sbinsudo wget https://dl.eff.org/certbot-auto
You should now have a copy of certbot-auto in the /usr/local/sbin directory.`
- Make the script executable by running command
sudo chmod a+x /usr/local/sbin/certbot-auto
Setup nginx to get a certificate
The Webroot plugin works by placing a special file in the /.well-known directory within your document root, which can be opened (through your web server) by the Let's Encrypt client for validation. Depending on your configuration, you may need to explicitly allow access to the /.well-known directory.
To ensure that the directory is accessible to certbot-auto for validation, change the nginx configuration, as like:
suno nano /etc/nginx/site-enabled/(default or your config file)- Add following block of code inside the file.
location ~ /.well-known {
allow all;
}
- Run
sudo nginx -tto test that nginx configs are right or not. - Restart nginx by running
sudo service nginx restart
Generate a certificate
- Run
certbot-auto certonly -a webroot --webroot-path=PATH_OF_APP_ROOT -d domain.com -d www.domain.com
#Note: The certbot-auto software requires superuser privileges, so you will be required to enter your password if you haven't used sudo recently.
- Enter email when prompt for email.
- Select agreement when it ask.
- After obtaining the cert, you will have the following PEM-encoded files.
Generate Strong Diffie-Hellman Group
- Run
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 - This may take a few minutes but when it’s done you will have a strong DH group at
/etc/ssl/certs/dhparam.pem.
Configure SSL certificate on nginx
- Run
sudo nano /etc/nginx/sites-available/(default or your config file) - Make some changes like:
server {
listen 443 ssl;
listen doamin.com:443 ssl;
server_name doamin.com;
# SSL configuration
ssl on;
ssl_certificate /etc/letsencrypt/live/doamin.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/doamin.com/privkey.pem;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# this below line is required to produce A+ certificate
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
location ~ /.well-known {
allow all;
}
# Applications root
root YOUR_APP_ROOT;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
}
server {
listen 80;
rewrite ^/(.*) https://$host$request_uri permanent;
}
}
- Run
sudo service nginx restartto restart nginx.
Verify SSL certificate
- Open
https://www.ssllabs.com/ssltest/analyze.html?d=doamin.comin your browser to verify rating of certificate.
Limitations
Let’s Encrypt has some limitations like:
- It’s not work for subdomains.
- It’s only for 90 days. If you want to secure you site for long time then you have to setup auto-renewal for your site. You can easily configure `Let’s Encrypt auto-renewal.
Setup auto renewal
- Enable crontab
sudo crontab -e 30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log35 2 * * 1 /bin/systemctl reload nginx
