Let's Encrypt is issued by a Internet Security Research Group (ISRG) the development of free and open certificate. Today, almost all browsers Let's Encrypt trust certificates issued.
Ready condition
Before continuing with the tutorial, make sure that you have met the following prerequisites:
- You have a point to public IP domain name server. In this tutorial, we will use example.com.
- You follow these instructions to install the Nginx.
- You have a block for servers for your domain. You can get more information about how to create one in accordance with this article.
Installation Certbot
Certbot is full-featured and easy to use tool that can automatically retrieve and update Let's Encrypt SSL certificate and configure the Web server to use their tasks. certbot package included in the default Ubuntu repositories.
Update the package list and install certbot package:
sudo apt update
sudo apt install certbot
Generate a strong Dh (Diffie-Hellman) group
Diffie-Hellman key exchange (DH) is a method of securely exchanging cipher key in an insecure communication channel. We will generate a new set of 2048 DH parameters to enhance security:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
If you prefer, you can change the size to 4096, but in this case, the generation may take more than 30 minutes, depending on the system entropy.
Gets Let's Encrypt SSL certificate
To get our domain SSL certificate, we will use Webroot plug-through ${webroot-path}/
. Well-known /acme-challenge
catalog and Let's create a temporary file encryption for the domain requested to work. The authentication server an HTTP request to verify whether the DNS resolution request field running certbot server.
To make it easier, we will .well-known/acme-challenge
all HTTP requests mapped to a single directory / var/lib/letsencrypt
.
The following command will create a directory and it can be written as Nginx server.
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
In order to avoid duplication of code, create the following two segments, we will include these fragments in all Nginx server blocks in the file.
Open a text editor and create the first fragment letsencrypt.conf
:
sudo nano /etc/nginx/snippets/letsencrypt.conf
/etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
Create a second code segment .conf, including Mozilla recommended chipper, support OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforce security-centric few HTTP headers.
sudo nano /etc/nginx/snippets/ssl.conf
/etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
After creating a fragment, and comprises open the domain server block letsencrypt.conf
segment, as follows:
/etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
Reload Nginx configuration changes to take effect:
sudo systemctl reload nginx
You can now use the plugin webroot run Certbot and obtain an SSL certificate file by issuing the following command:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
If successful SSL certificate, certbot will print the following message:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-07-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now that you have the certificate file, you can edit the domain server block as follows:
sudo nano /etc/nginx/sites-available/example.com
/etc/nginx/sites-available/example.com
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
}
Through the above configuration, we enforce HTTPS and redirect from www to non-www version.
Reload Nginx service for the changes to take effect:
sudo systemctl reload nginx
Let us renew automatically encrypted SSL Certificates
Our encryption certificate is valid for 90 days. To automatically renew a certificate before it expires, certbo t package will create a cronjob, run twice a day, and automatically renew any certificate within 30 days prior to expiration.
Since we are using certbot webroot plug after renewing the certificate, so we also have to reload nginx service. The --renew-hook "systemctl reload nginx" /etc/cron.d/certbot appended to the file, it looks like this:
sudo nano /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
To test the renewal process can be used certbot --dry-run switch:
sudo certbot renew --dry-run
If there are no errors, then the renewal process was successful.
to sum up
In this tutorial, you use encryption client Let's end certbot to download domain SSL certificates. You also created Nginx snippet to avoid duplication of code and configure Nginx to use the certificate. At the end of this tutorial, you have set up a cronjob for automatic certificate renewal.
If you would like more information about how to use Certbot, and their documents are a good learning place.