How To Secure Nginx with Let's Encrypt on ubuntu

Posted by : on

Category : Github

Hello All, Today I am gona discuss how to secure you website with free ssl provided by Let's Encrypt with nginx web server on an ubuntu machine.Here are some few steps you have to follow to do this:

Install Let’s Encrypt Client

You have to install Let's Encrypt Client to generate a ssl certificate for your site. The best way to install Let’s Encrypt Client is download it from the EFF’s download site.

  • cd /usr/local/sbin
  • sudo wget https://dl.eff.org/certbot-auto

You should now have a copy of certbot-auto in the /usr/local/sbin directory.`

  • Make the script executable by running command sudo chmod a+x /usr/local/sbin/certbot-auto

Setup nginx to get a certificate

The Webroot plugin works by placing a special file in the /.well-known directory within your document root, which can be opened (through your web server) by the Let's Encrypt client for validation. Depending on your configuration, you may need to explicitly allow access to the /.well-known directory.

To ensure that the directory is accessible to certbot-auto for validation, change the nginx configuration, as like:

  • suno nano /etc/nginx/site-enabled/(default or your config file)
  • Add following block of code inside the file.
       location ~ /.well-known {
                  allow all;
          }
   
  • Run sudo nginx -t to test that nginx configs are right or not.
  • Restart nginx by running sudo service nginx restart

Generate a certificate

  • Run certbot-auto certonly -a webroot --webroot-path=PATH_OF_APP_ROOT -d domain.com -d www.domain.com
    #Note: The certbot-auto software requires superuser privileges, so you will be required to enter your password if you haven't used sudo recently.
     
  • Enter email when prompt for email.
  • Select agreement when it ask.
  • After obtaining the cert, you will have the following PEM-encoded files.

Generate Strong Diffie-Hellman Group

  • Run sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  • This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.

Configure SSL certificate on nginx

  • Run sudo nano /etc/nginx/sites-available/(default or your config file)
  • Make some changes like:
    server {
                          listen 443 ssl;
                          listen doamin.com:443 ssl;
                          server_name doamin.com;
                          
                          # SSL configuration
                          ssl on;
                          ssl_certificate /etc/letsencrypt/live/doamin.com/fullchain.pem;
                          ssl_certificate_key /etc/letsencrypt/live/doamin.com/privkey.pem;
                          ssl_prefer_server_ciphers On;
                          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                          
                          # this below line is required to produce A+ certificate
                          ssl_dhparam /etc/ssl/certs/dhparam.pem;
                          
                          ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';                          
                          location ~ /.well-known {
                                          allow all;
                                  }
                          # Applications root
                          root YOUR_APP_ROOT;
                          
                          location ^~ /assets/ {
                          gzip_static on;
                          expires max;
                          add_header Cache-Control public;
                          }
                          
                          }
                          
                          server {
                          listen 80;
                          rewrite ^/(.*) https://$host$request_uri permanent;
                          }
}
   
  • Run sudo service nginx restart to restart nginx.

Verify SSL certificate

  • Open https://www.ssllabs.com/ssltest/analyze.html?d=doamin.com in your browser to verify rating of certificate.

Limitations

Let’s Encrypt has some limitations like:

  • It’s not work for subdomains.
  • It’s only for 90 days. If you want to secure you site for long time then you have to setup auto-renewal for your site. You can easily configure `Let’s Encrypt auto-renewal.

Setup auto renewal

  • Enable crontab sudo crontab -e
  • 30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
  • 35 2 * * 1 /bin/systemctl reload nginx

For more detailed explanation, visit the Link or Link



About Ram Laxman Yadav
Ram Laxman Yadav

Senior Software Engineering Professional | Tech Enthusiast | Mentor | Payments | Hospitality | E-Commerce, based in NCR, India

Email : info@ramlaxman.co.in

Website : https://ramlaxman.co.in