Tag: Let’s Encrypt SSL

Posted on

How To Install Let’s Encrypt SSL With Nginx on CentOS 7

Let’s Encrypt SSL With Nginx on CentOS 7

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

Prerequisites

This article assumes you have at least basic knowledge of linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL with Nginx on a CentOS 7 server.
Install Let’s Encrypt SSL With Nginx on CentOS 7

Step 1. First let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update
Step 2. Installing Let’s Encrypt SSL on CentOS 7.

In CentOS 7, you can find Certbot on the EPEL repository; if you enable it, just install what you need:
yum install epel-release
yum install certbot

You will also need to have nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:

yum install nginx
systemctl start nginx

The first step to install let’s encrypt ssl on CentOS Linux is to add a simple configuration inside your nginx virtual host configuration. Add this line to your vhost configuration:

location ~ /.well-known {
allow all;
}

Save and exit to apply changes:

nginx -t
systemctl restart nginx

Obtaining a certificate with Certbot:

Run the command as you see below, replace “wpcademy.com” with your real domain name and /var/www/wpcademy.com with your real webroot path:

certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com

Result:

[[email protected]:~]certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wpcademy.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/idroot.us/fullchain.pem. Your cert
will expire on 2017-07-16. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[[email protected]:~]

Step 3. Configure Let’s Encrypt TLS/SSL on Nginx Web Server.

First, edit the Virtual Host file you specified during configuration through Certbot and add this three directives:

listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/idroot.us/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/idroot.us/privkey.pem;

The full nginx vhost configuration may look like this:

server {
listen 80;
server_name wpcademy.com www.wpcademy.com;
rewrite ^(.*) https://wpcademy.com$1 permanent;
}

server {
access_log off;
log_not_found off;
error_log logs/idroot.us-error_log warn;

server_name wpcademy.com;
root /var/www/wpcademy.com;
index index.php index.html index.htm;

listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/wpcademy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wpcademy.com/privkey.pem;

## Stuff required by certbot
location ~ /.well-known {
allow all;
}

## SSL
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

access_log /var/www/wpcademy.com/logs/access.log;
error_log /var/www/wpcademy.com/logs/error.log;

# php-script handler
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000; fastcgi_read_timeout 150;
root /var/www/wpcademy.com/public_html;
fastcgi_param SCRIPT_FILENAME /var/www/idroot.us$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}

Step 5. Set Up Let’s Encrypt SSL Auto Renewal.

We will add a cronjob to run the renewal command every week, run this command:

export VISUAL=nano; crontab -e

Paste the following lines:

01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log
06 1 * * 0 /usr/bin/systemctl nginx reload

Save and Exit from the crontab table.

This will create a new cronjob that will be executed every Sunday at 01 AM, and then it will reload Nginx web server to apply the changes. The output will be logged into /var/log/ssl-renew.log file for further analysis if needed.

Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on CentOS 7 system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.

Posted on

How To Install Let’s Encrypt SSL With Apache on CentOS 7

Let’s Encrypt SSL With Apache on CentOS 7

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

Prerequisites

This article assumes you have at least basic knowledge of linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL with Apache on a CentOS 7 server.
Install Let’s Encrypt SSL With Apache on CentOS 7

Step 1. First let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update

Step 2. Installing Let’s Encrypt SSL using Certbot.

In CentOS 7, you can find Certbot on the EPEL repository; if you enable it, just install what you need:

yum install epel-release
yum install python-certbot-apach

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

certbot --apache

After that, you’ll see a guide to customize your options, just like this:
Let%u2019s-Encrypt-SSL-Apache
Enter the domain you want to secure; then, Certbot will prompt you to enter your email address:
Let%u2019s-Encrypt-SSL-Apache-1
Next, you will choose the Virtual Host file, being the default ssh.conf. After that, you can decide whether to enable both http and https access or redirect to https. The secure option is the second one (https). At the end of the procedure, Certbot will display a message containing configuration information.

Step 3. Configuration CentOS SSL.

First, edit the Virtual Host file you specified during configuration through Certbot. If you used the default one, the file should be /etc/httpd/conf.d/ssl.conf:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Save and close the file. Restart the apache service for the changes to take effects:

systemctl restart httpd.service

Step 4. Automating renewal Let’s Encrypt.

Certbot can be configured to renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

certbot renew --dry-run

Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on CentOS 7 system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.

Posted on

How To Install Let’s Encrypt SSL With Lighttpd on CentOS 7

Let’s Encrypt SSL With Lighttpd on CentOS 7

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

Table of Contents

Step 1. First let’s start by ensuring your system is up-to-date.

Step 2. Installing Let’s Encrypt SSL using Certbot.

Step 3. Configure Lighttpd For Your New Cert.

Step 4. Force HTTPS requests for Lighttpd.

Step 5. Set Up Let’s Encrypt SSL Auto Renewal.

 

 Prerequisites

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL with Lighttpd on a CentOS 7 server.
Install Let’s Encrypt SSL With Lighttpd on CentOS 7

Step 1. First let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update

Step 2. Installing Let’s Encrypt SSL using Certbot.

In CentOS 7, you can find Certbot on the EPEL repository; if you enable it, just install what you need:

yum install epel-release
yum install certbo

You will also need to have Lighttpd installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:

yum -y install lighttpd
systemctl start lighttpd.service

Obtaining a certificate with Certbot:

certbot certonly --webroot -w /var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com

Combine both certificate and private key in one file.

Lighty likes its certificates formatted in a specific way, so we’re going to combine the private keys and certificate into one file that we’ll tell lighty about later:

cat /etc/letsencrypt/live/idroot.us/privkey.pem /etc/letsencrypt/live/wpcademy.com/cert.pem > /etc/letsencrypt/live/idroot.us/combined.pem

Step 3. Configure Lighttpd For Your New Cert.

Configure lighty to use the new certificate and chain:

nano /etc/lighttpd/lighttpd.conf

Use the below information:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/wpcademy.com/web.pem"
ssl.ca-file = "/etc/letsencrypt/live/wpcademy.com/chain.pem"
server.name = "wpcademy.com" 
server.document-root = "/var/www/wpcademy.com"
server.errorlog = "/var/log/lighttpd/wpcademy.com_error.log"
accesslog.filename = "/var/log/lighttpd/wpcademy.com_access.log"

Step 4. Force HTTPS requests for Lighttpd.

We can also configure HTTP to HTTPS redirection on Lighttpd server so that the traffic comes to non-HTTPS site redirect to the HTTPS site:

$HTTP["scheme"] == "http" {
$HTTP["host"] == "wpcadem.com" {
url.redirect = ("/.*" => "https://idroot.us$0")
}
}

Save and close the file when you are finished.

Step 5. Set Up Let’s Encrypt SSL Auto Renewal.

Let’s Encrypt certificates comes with a validity of 90 days; it is highly advisable to configure the cron (Linux Scheduler) job to renew your certificates before they expire:

certbot renew --dry-run

If that appears to be working properly, configure a cron job for the below command:

certbot renew

Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL With Lighttpd on CentOS 7 system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.

Posted on

How To Install Let’s Encrypt SSL using DirectAdmin

Let’s Encrypt SSL using DirectAdmin

Let’s Encrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

Table of Contents

Step 1. First let’s start by ensuring your system is up-to-date.

Step 2. Login to your DirectAdmin VPS via SSH as user root.

Step 3. Get the latest Let’s Encrypt script

Step 4. Configure DirectAdmin.

 

Prerequisites

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step install Let’s Encrypt SSL using DirectAdmin on CentOS 7 server.
Install Let’s Encrypt SSL using DirectAdmin

Step 1. First let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update

Step 2. Login to your DirectAdmin VPS via SSH as user root.

First, Login to your DirectAdmin VPS:

ssh root@Your_IP_Adress -p Port_number

Step 3. Get the latest Let’s Encrypt script

Next, we will clean the software list and make sure we’ve got the latest Let’s Encrypt script:

cd /usr/local/directadmin/custombuild/
./build clean all
./build update
./build letsencrypt

Then, rewrite the configuration files:

./build rewrite_confs

Step 4. Configure DirectAdmin.

In order to enable Let’s Encrypt support on DirectAdmin, open the DirectAdmin configuration file:

nano /usr/local/directadmin/conf/directadmin.conf
letsencrypt=1

You should also make sure that SNI is enabled in DirectAdmin by adding/modifying this line:

enable_ssl_sni=1

Save the file and restart DirectAdmin for the changes to take effect:

echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000

With this step Let’s Encrypt is enabled in DirectAdmin and we can proceed with the installation. Login to the control panel at https://yourdomain:2222 with your username and go to ‘SSL Certificates’ under ‘Advanced Features’:
DirectAdmin-SSL-2
If the SSL option is disabled for the selected domain as shown in the screenshot below, you need to enable it by clicking ‘here’:
DirectAdmin-SSL
If you properly enabled Let’s Encrypt, you will see the ‘Free and automatic certificate from Let’s Encrypt’ option. Check the check-box next to the Let’s Encrypt option and enter all necessary details for your domain below:
DirectAdmin-SSL-1
Then click the ‘Save’ button and a free Let’s Encrypt SSL certificate will be automatically installed.

Finally Restart the web server for the changes to take effect:

systemctl restart httpd

Congratulation’s! You have successfully installed Install Let’s Encrypt SSL DirectAdmin on CentOS 7. Thanks for using this tutorial for installing Let’s Encrypt SSL using DirectAdmin on CentOS 7 systems. For additional help or useful information, we recommend you to check the official Apache Zeppelin web site.

Posted on

How To Install Let’s Encrypt SSL for Nginx on Ubuntu 18.04 LTS

Install Let’s Encrypt SSL for Nginx on Ubuntu 18

Let’s Encrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL for Nginx on Ubuntu 18.04 LTS server.

Install Let’s Encrypt SSL for Nginx on Ubuntu 18.04 LTS

Step 1. First make sure that all your system packages are up-to-date

apt-get update
apt-get upgrade

Step 2. Installing Let’s Encrypt SSL on Ubuntu 18.04 LTS.

First, Add certbot to the repository:

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python-certbot-nginx

Step 3. Setup Domain Name to Server Block.

Certbot automates the configuration of SSL for Nginx by looking for the server_name directive that matches the domain you’re requesting a certificate for. If you have already configured the server_name directive previously, you can skip to Step 4.

Step 4. Generate Certs using Certbot.

First, We can now generate certs using certbot. Replace intanramona.net with your own domain:

sudo certbot --nginx -d intanramona.net -d www.intanramona.net

Enter an email address where you can be contacted in case of urgent renewal and security notices:

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

Press a and ENTER to agree to the Terms of Service:

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

Press n and ENTER to not share your email address with EFF:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for intanramona.net
http-01 challenge for www.intanramona.net
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

If successful, you will be able to choose between enabling both http and https access or forcing all requests to redirect to https:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Press 2 and ENTER to redirect HTTP traffic to HTTPS:

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://devtest1.com and
https://www.devtest1.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=intanramona.net
https://www.ssllabs.com/ssltest/analyze.html?d=www.intanramona.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/intanramona.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/intanramona.net/privkey.pem
Your cert will expire on 2018-12-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Step 5. Setup auto renewal Let’s Encrypt.

Let’s Encrypt certificates are valid for 3 month, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration:

sudo certbot renew --dry-run

Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on Ubuntu 18.04 LTS Bionic Beaver system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.

Posted on

How To Install Let’s Encrypt SSL on Ubuntu With Apache

Install Let’s Encrypt SSL on Ubuntu With Apache

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

This article assumes you have at least basic knowledge of linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL on a Ubuntu 16.04 LTS (Xenial Xerus) server.

Install Let’s Encrypt SSL on Ubuntu With Apache

Step 1. First make sure that all your system packages are up-to-date by running these following apt-get commands in the terminal.

apt-get update
apt-get upgrade
apt-get install git

Step 2. Install LAMP (Linux, Apache, MariaDB, PHP) server.

A Ubuntu 16.04 LAMP server is required. If you do not have LAMP installed, you can follow our guide here.

Step 3. Installing Let’s Encrypt SSL.

Next, run the commands below to clone Let’s Encrypt git project to your server and this will create a folder called letencrypt in the /opt directory:

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Generating Let’s Encrypt certificates:

cd /opt/letsencrypt

Run the commands below to generate a SSL certificate for your domain (example.com) or website:

./letsencrypt-auto --apache -d example.com

You can also use a single certificate on multiple domains and sub-domains, to do that, you’ll have to add them as additional perimeters to the command:

./letsencrypt-auto --apache -d example.com -d www.example.com

After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration as illustrated on the below screenshots and you should be able to find the generated certificate files at /etc/letsencrypt/live.

letsencrypt-ssl-generate

Finally, now your domain should be accessible via HTTPS! Check it out at https://yourdomain.com.

Step 4. Set up auto renewal Let’s Encrypt.

Let’s Encrypt certificates are valid for 3 month, but it’s recommended that you renew the certificates every 2 month to allow a margin of error. To renew that certificate, you’ll have to come back into the /opt/letsencrypt directory and run the commands below:

./letsencrypt-auto renew

Or you can also setup a cron job to automatically renew your certificate before it expires by editing cron and specifying how often you want to check/renew:

sudo crontab -e

Add the line below and save:

0 0 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

Congratulation’s! You have successfully installed Let’s Encrypt SSL. Thanks for using this tutorial for installing Let’s Encrypt SSL with Apache on your Ubuntu 16.04 LTS (Xenial Xerus) system. For additional help or useful information, we recommend you to check the official LetsEncrypt SSL web site.

Posted on

How To Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS

Install Let’s Encrypt SSL With Nginx on Ubuntu 16

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Let’s Encrypt SSL with Nginx on a Ubuntu 16.04 LTS xenial xerus server.
Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS

Step 1. First, make sure that all your system packages are up-to-date by running these following apt-get commands in the terminal.

sudo apt-get update
sudo apt-get upgrade

Step 2. Installing Let’s Encrypt SSL on Ubuntu 16.04

The first step is to install certbot, the software client which will automate almost everything in the process:

add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

You will also need to have nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:

apt-get install nginx
systemctl start nginx

The first step to install let’s encrypt ssl on Ubuntu Linux is to add a simple configuration inside your nginx server block configuration. Add this line to your server block configuration:

location ~ /.well-known {
  allow all;
  }

Save and exit to apply changes:

### nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx:

systemctl restart nginx

Obtaining a certificate with Certbot:

Run the command as you see below, replace “wpcademy.com” with your real domain name and /var/www/wpcademy.com with your real webroot path:

certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com

Result:

[[email protected]:~]certbot certonly -a webroot --webroot-path=/var/www/wpcademy.com -d wpcademy.com -d www.wpcademy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wpcademy.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/wpcademy.com/fullchain.pem. Your cert
   will expire on 2017-07-16. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
[[email protected]:~]
/[php]


<strong>Step 3. Configure SSL/TLS on NGINX web server.</strong>

First, edit the server block file you specified during configuration through Certbot and add this three directives:
[php]
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/wpcademy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wpcademy.com/privkey.pem;

The full nginx server block configuration may look like this:
server {
     listen 80;
     server_name wpcademy.com www.wpcademy.com;
     rewrite ^(.*) https://wpcademy.com$1 permanent;
}
server {
     access_log off;
     log_not_found off;
     error_log  logs/wpcademy.com-error_log warn;

    server_name  wpcademy.com; 
    root   /var/www/wpcademy.com;
    index  index.php index.html index.htm;

    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/wpcademy.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wpcademy.com/privkey.pem;

  ## Stuff required by certbot
     location ~ /.well-known {
     allow all;
     }

  ## SSL
   ssl_session_cache shared:SSL:20m;
   ssl_session_timeout 10m;

   ssl_prefer_server_ciphers On;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

   ssl_stapling on;
   ssl_stapling_verify on;
   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 10s;

   access_log /var/www/wpcademy.com/logs/access.log;
   error_log /var/www/wpcademy.com/logs/error.log;

   # php-script handler
   location ~ \.php$ {
      fastcgi_index index.php;
      fastcgi_pass 127.0.0.1:9000;       fastcgi_read_timeout 150;
      root    /var/www/wpcademy.com/public_html;
      fastcgi_param SCRIPT_FILENAME /var/www/wpcademy.com$fastcgi_script_name;
      include /etc/nginx/fastcgi_params;
   }
 location  ~ /\.ht {
               deny  all;
           }
    }

Save and close the file when you are finished.

Step 5. Set Up Let’s Encrypt SSL Auto Renewal.

We will add a cronjob to run the renewal command every week, run this command:

export VISUAL=nano; crontab -e

Paste the following lines:

01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log 
06 1 * * 0 /usr/bin/systemctl nginx reload

Save and Exit from the crontab table.

This will create a new cronjob that will be executed every Sunday at 01 AM, and then it will reload Nginx web server to apply the changes. The output will be logged into /var/log/ssl-renew.log file for further analysis if needed.

Congratulation’s! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you to check the official Let’s Encrypt web site.