In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access
Step 1
Download Certbot (ACME Client Implementation) for Let’s Encrypt:
$ sudo su $ cd ~ $ wget https://dl.eff.org/certbot-auto $ chmod a+x certbot-auto $ ./certbot-auto
Executing ./certbot-auto will first install all the requirements.
Step 2
Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Step 3
Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:
server {
# ... snippet start
location ~ /\.well-known/acme-challenge/ {
root /usr/local/acme-ssl/;
index index.html index.htm;
try_files $uri =404;
}
# ... snippet end
}
*siteconfig is the file name of your enabled site. eg: mydomain.net.conf
Step 4
Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):
$ mkdir -p /usr/local/acme-ssl/ $ chown -R www-data:www-data /usr/local/acme-ssl
Step 5
Generate a certificate using Certbot
$ cd ~ $ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld
Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.
Step 6
Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:
server {
listen *:80;
server_name www.domain.tld domain.tld;
return 301 https://$host$request_uri;
}
server {
listen *:443;
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
server_name www.domain.tld domain.tld;
# rest of your server {} block goes below ...
}
Step 7
Test Nginx configuration and reload reload it:
$ service nginx configtest $ service nginx reload
That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.
P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob:
30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade 35 6,23 * * * /etc/init.d/nginx reload
This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.