LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL with Nginx on a Ubuntu 16.04 LTS xenial xerus server.
Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running these following apt-get commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Installing Let’s Encrypt SSL on Ubuntu 16.04
The first step is to install certbot, the software client which will automate almost everything in the process:
add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
You will also need to have nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:
apt-get install nginx systemctl start nginx
The first step to install let’s encrypt ssl on Ubuntu Linux is to add a simple configuration inside your nginx server block configuration. Add this line to your server block configuration:
location ~ /.well-known {
allow all;
}
Save and exit to apply changes:
### nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx:
systemctl restart nginx
Obtaining a certificate with Certbot:
Run the command as you see below, replace “wpcademy.com” with your real domain name and /var/www/wpcademy.com with your real webroot path:
certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com
Result:
[[email protected]:~]certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for wpcademy.net Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/wpcademy.com/fullchain.pem. Your cert will expire on 2017-07-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [[email protected]:~] /[php] <strong>Step 3. Configure SSL/TLS on NGINX web server.</strong> First, edit the server block file you specified during configuration through Certbot and add this three directives: [php] listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/wpcademy.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wpcademy.com/privkey.pem;
The full nginx server block configuration may look like this:
server {
listen 80;
server_name wpcademy.com www.wpcademy.com;
rewrite ^(.*) https://wpcademy.com$1 permanent;
}
server {
access_log off;
log_not_found off;
error_log logs/wpcademy.com-error_log warn;
server_name wpcademy.com;
root /var/www/wpcademy.com;
index index.php index.html index.htm;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/wpcademy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wpcademy.com/privkey.pem;
## Stuff required by certbot
location ~ /.well-known {
allow all;
}
## SSL
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
access_log /var/www/wpcademy.com/logs/access.log;
error_log /var/www/wpcademy.com/logs/error.log;
# php-script handler
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000; fastcgi_read_timeout 150;
root /var/www/wpcademy.com/public_html;
fastcgi_param SCRIPT_FILENAME /var/www/wpcademy.com$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
Save and close the file when you are finished.
Step 5. Set Up Let’s Encrypt SSL Auto Renewal.
We will add a cronjob to run the renewal command every week, run this command:
export VISUAL=nano; crontab -e
Paste the following lines:
01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log 06 1 * * 0 /usr/bin/systemctl nginx reload
Save and Exit from the crontab table.
This will create a new cronjob that will be executed every Sunday at 01 AM, and then it will reload Nginx web server to apply the changes. The output will be logged into /var/log/ssl-renew.log file for further analysis if needed.
Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.