SSL certificates: Let’s Encrypt

In this post I’ll explain how to install free SSL certificates for your website, using Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Platform: Ubuntu 14.04, Nginx and OpenSSL, SSH root access

Step 1

Download Certbot (ACME Client Implementation) for Let’s Encrypt:

$ sudo su
$ cd ~
$ wget
$ chmod a+x certbot-auto
$ ./certbot-auto

Executing ./certbot-auto will first install all the requirements.

Step 2

Generate Strong Diffie-Hellman Group. To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 3

Allow requests to Nginx, to read from . directories. Add the following lines to your /etc/nginx/sites-enabled/siteconfig*:

server {
# ... snippet start
        location ~ /\.well-known/acme-challenge/ {
           root /usr/local/acme-ssl/;
           index index.html index.htm;
           try_files $uri =404;
# ... snippet end

*siteconfig is the file name of your enabled site. eg:

Step 4

Create /usr/local/acme-ssl/ directory and chown it with Nginx user (usually www-data):

$ mkdir -p /usr/local/acme-ssl/
$ chown -R www-data:www-data /usr/local/acme-ssl

Step 5

Generate a certificate using Certbot

$ cd ~
$ ./certbot-auto certonly --renew-by-default -a webroot --webroot-path=/usr/local/acme-ssl/ -d domain.tld -d www.domain.tld

Certbot will save certificate information in /etc/letsencrypt/live/domain.tld directory.

Step 6

Enable SSL by making modifications to your /etc/nginx/sites-enabled/siteconfig* file. The new file should look like this:

server {
	listen *:80;
    	server_name www.domain.tld domain.tld;
	return 301 https://$host$request_uri;

server {
    listen *:443;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    server_name www.domain.tld domain.tld;

    # rest of your server {} block goes below ...

Step 7

Test Nginx configuration and reload reload it:

$ service nginx configtest
$ service nginx reload

That’s it. Now, when you access http://domain.tld you should be redirected to https://domain.tld/ having a valid certificate.

P.S. Let’s Encrypt certificates are valid for 90 days only. You should create a cronjob that runs twice a day and will automatically renew your certificate. Example cronjob:

30 6,23 * * * /root/certbot-auto renew --quiet --no-self-upgrade
35 6,23 * * * /etc/init.d/nginx reload

This cronjob will run twice a day: at 06:30 AM and 23:30 (11:30 PM) and will renew all the certificates that are about to expire. At :35 , Nginx configuration will be reloaded in order to use the new certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *