Let's Encrypt is a new certificate authority (CA) mode, use it to get a free TLS / SSL certificates - encryption using HTTPS web server. Let's Encrypt is still in the testing phase, at present, it only supports automatically installed on the Apache web server. However, Let's Encrypt allows us to very easily get a free SSL certificate, then we can manually configure installed on a web server.
This article related to:
- Install Nginx on Ubuntu 16.04
- Let's Encrypt get free use of SSL certificates
- Nginx configuration using SSL certificates
- How Automatic Updates SSL Certificates
Installation prerequisites
- You must have a domain name
- A record domain names point to your web servers to configure
- You have to have root privileges in Ubuntu 16.04
I do use test.com and www.test.com domain examples in this article all the places involved test.com, we need to replace your domain name.
1) Let's Encrypt client download
The first to use Let's Encrypt obtain an SSL certificate, download letsencrypt.
letsencrypt hosted on github, using git clone downloads.
If you do not git installed, install it:
$ sudo apt-get update
$ sudo apt-get install gitI Let's Encrypt clone to / opt directory:
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt2) to obtain an SSL certificate
If you do not install Nginx, install it:
$ sudo apt-get install nginxConfiguration Nginx:
$ sudo vim /etc/nginx/sites-available/defaultAdded to the block in the server:
location ~ /.well-known {
allow all;
}
/.well-known usefulness: Let's Encrypt server to verify your web server, make sure that your domain name, your server.
You can also change the site's root directory, the default is / var / the WWW / HTML .
Nginx to reload for the changes to take effect:
$ sudo systemctl reload nginxObtain an SSL certificate:
$ cd /opt/letsencrypt
$ ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d test.com -d www.test.comDuring installation prompts for the mailbox, to restore the key:
Accept the agreement:
If successful, it will output the following information:
IMPORTANT NOTES:
...
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/test.com/fullchain.pem. Your
cert will expire on 2016-06-15. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
...
Note the path and certificate expiration date.
If there are errors, pay attention to open ports 80 and 443 firewall.
/ Letsencrypt / live / test.com in the certificate actually saved the certificate file in / etc / letsencrypt / archive directory, / etc just point to / etc / letsencrypt / archive links to the latest certificate. Certificate file obtained:
sudo ls -l /etc/letsencrypt/live/test.com- cert.pem: certificate of your domain name
- chain.pem: Let's large column Ubuntu 16.04 installation configuration Nginx's use Encrypt Let Encrypt catena alberghiera certificate
- fullchain.pem: cert.pem and chain.pem merger
- privkey.pem: Your certificate key
For added security, you should generate Diffie-Hellman:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Here you need to configure Nginx to use fullchain.pem as a certificate file, privkey.pem as a key.
3) Configure Nginx using TLS / SSL
Now that you have an SSL certificate, use the following to configure Nginx certificate.
Nginx configuration file editing / etc / nginx / sites-available / default:
$ sudo vim /etc/nginx/sites-available/defaultFind the server block, comments, or delete the following line:
listen 80 default_server;
listen [::]:80 default_server;
Add the following in the server configuration code block using HTTPS:
listen 443 ssl;
server_name test.com www.test.com;
ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem;
SSL protocol add the following code block in the server:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
Finally, we also need to add a server block to redirect http request (80> 443):
server {
listen 80;
server_name test.com www.test.com;
return 301 https://$host$request_uri;
}
Save and exit.
Nginx to reload for the changes to take effect:
$ sudo systemctl reload nginxOK, now your web server should support the HTTPS.
4) Automatic Updates SSL Certificates
Let's Encrypt certificate is valid for three months, but I recommend that you update it every two months certificate.
Update certificate command:
$ /opt/letsencrypt/letsencrypt-auto renewUsing cron scheduled task automatically renew certificates:
$ sudo crontab -eAdd to:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx
Save and exit.
If you need to update letsencrypt client, simply execute git pull:
$ cd /opt/letsencrypt
$ sudo git pull