Hello All, Today I am gona discuss how to secure you website with free ssl provided by Let's Encrypt
with nginx
web server on an ubuntu machine.Here are some few steps you have to follow to do this:
Install Let’s Encrypt Client
You have to install Let's Encrypt Client
to generate a ssl certificate for your site. The best way to install Let’s Encrypt Client is download it from the EFF’s download site.
cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
You should now have a copy of certbot-auto
in the /usr/local/sbin
directory.`
- Make the script executable by running command
sudo chmod a+x /usr/local/sbin/certbot-auto
Setup nginx to get a certificate
The Webroot plugin works by placing a special file in the /.well-known
directory within your document root, which can be opened (through your web server) by the Let's Encrypt client
for validation. Depending on your configuration, you may need to explicitly allow access to the /.well-known
directory.
To ensure that the directory is accessible to certbot-auto for validation, change the nginx configuration, as like:
suno nano /etc/nginx/site-enabled/(default or your config file)
- Add following block of code inside the file.
- Run
sudo nginx -t
to test that nginx configs are right or not. - Restart nginx by running
sudo service nginx restart
Generate a certificate
- Run
certbot-auto certonly -a webroot --webroot-path=PATH_OF_APP_ROOT -d domain.com -d www.domain.com
- Enter email when prompt for email.
- Select agreement when it ask.
- After obtaining the cert, you will have the following PEM-encoded files.
Generate Strong Diffie-Hellman Group
- Run
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- This may take a few minutes but when it’s done you will have a strong DH group at
/etc/ssl/certs/dhparam.pem
.
Configure SSL certificate on nginx
- Run
sudo nano /etc/nginx/sites-available/(default or your config file)
- Make some changes like:
- Run
sudo service nginx restart
to restart nginx.
Verify SSL certificate
- Open
https://www.ssllabs.com/ssltest/analyze.html?d=doamin.com
in your browser to verify rating of certificate.
Limitations
Let’s Encrypt has some limitations like:
- It’s not work for subdomains.
- It’s only for 90 days. If you want to secure you site for long time then you have to setup auto-renewal for your site. You can easily configure `Let’s Encrypt auto-renewal.
Setup auto renewal
- Enable crontab
sudo crontab -e
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx