SSL certificates: Let’s Encrypt

In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access

Step 1

Download Certbot (ACME Client Implementation) for Let’s Encrypt:

$ sudo su
$ cd ~
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto

Executing ./certbot-auto will first install all the requirements.

Step 2

Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 3

Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:

server {
# ... snippet start
        location ~ /\.well-known/acme-challenge/ {
           root /usr/local/acme-ssl/;
           index index.html index.htm;
           try_files $uri =404;
        }
# ... snippet end
}

*siteconfig is the file name of your enabled site. eg: mydomain.net.conf

Step 4

Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):

$ mkdir -p /usr/local/acme-ssl/
$ chown -R www-data:www-data /usr/local/acme-ssl

Step 5

Generate a certificate using Certbot

$ cd ~
$ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld

Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.

Step 6

Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:

server {
	listen *:80;
    	server_name www.domain.tld domain.tld;
	return 301 https://$host$request_uri;
}

server {
    listen *:443;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    server_name www.domain.tld domain.tld;

    # rest of your server {} block goes below ...
}

Step 7

Test Nginx configuration and reload reload it:

$ service nginx configtest
$ service nginx reload

That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.

P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob:

30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade
35 6,23 * * * /etc/init.d/nginx reload

This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Leave a Reply

Your email address will not be published. Required fields are marked *

*


8 + nine =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>