Here how you can get free SSL cerificates using Let’s Encrypt. Forget about the expire of certificates using the auto-renewal script. A complete reference to install a Let’s Encrypt certificate is this Digital Ocean’s howto. Here there’s a quick guide based on it, plus some additional suggestions. Here we go!
The following code download the script and make it executable. (1)
cd /usr/local/sbin # CentOS cd /usr/local/bin # Ubuntu / Debian wget https://dl.eff.org/certbot-auto chmod a+x /usr/local/sbin/certbot-auto
Logout and login again to make the certbot-auto script available as a command without typing the entire path.
The following code create a path for ssl certificate. Change /usr/local/etc/my/files/path/ssl_cert with a path for where you’ll store certificates, you can select a path not in your document root. (2)
mkdir /usr/local/etc/my/files/path/ssl_cert
Now edit your /etc/nginx/conf.d/mysites.conf and add this into the server {…} directive to make available example.com/.well-known url (3):
server { listen 80; server_name example.com www.example.com mysite.com www.mysite.com; location ^~ /.well-known { alias /usr/local/etc/my/files/path/ssl_cert/.well-known; allow all; } location / { # redirect all other path to the HTTPS version return 301 https://www.mysite.com$request_uri; } }
At this time you’ve to make available .
Check syntax and reload nginx:
nginx -t systemctl reload nginx
Now execute the script to install certificates for your domains. Remember to use the command with -d domain-without-www -d www-domain in this order. (4)
- Install all needed dependencies for your system (via yum on RedHat based distro and apt on Debian based)
- Generate a valid certificate
certbot-auto certonly -a webroot --webroot-path=/usr/local/etc/my/files/path/ssl_cert -d example.com -d www.example.com -d mysite.com -d www.mysite.com
An auto check will be performed and you will get a Congratulation message.
Now generate a strong Diffie-Hellman group with this command (5):
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Check syntax and if ok reload the nginx server to apply changes and . (6)
nginx -t systemctl reload nginx
Auto-renewal
A certificate will be valid for a short period of time, e.g. 3 months.
To auto-renew the certificate for all of your domains, you should add the auto-renewal command to cron.
You can read how to renew certificates on cron here.
Enable SSL on nginx
To enable SSL on nginx, if you have already a mysite.conf file mapped for uncrypted connection on port 80. Inside the /etc/nginx/conf.d directory, copy the file as mysite_ssl.conf and:
Change all occurrences of:
listen 80;
to:
listen 443 ssl;
In this way nginx will listen to 443 port on SSL. Ensure you have this port available externally (firewall and/or Selinux audit2allow). (8)
In the original file, mysite.conf, you can delete all entries but you have to keep the well-know part (step 3). This will avoid errors by Let’s Encrypt script.
Add and enable cyphers. Here there’s a good cyphers list, reliable for compatibile but secure using TLS only. (9)
server { # the port your site will be served on listen 443 ssl; # the domain name it will serve for server_name example.com; # substitute your machine's IP address or FQDN ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; ##### Cyphers and SSL fine tuning ##### ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; ##### END Cyphers and SSL fine tuning ##### # charset utf-8; etc... }
Test nginx syntax with:
nginx -t
and then reload nginx to apply changes (10), on CentOS:
systemctl restart nginx
Update 12/2018:
Better than using the acme authentication, you can use the standalone mode. This mode requires to stop the server first, then certbot will put up a webserver to verify the domain and get the certificates, all in a single command using –pre-hook and –post-hook to put down nginx.
sudo certbot certonly --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d example.com
One thought on “Free SSL certificates and how to install on nginx in 10 steps”