HTTPS using Let’s Encrypt and NGINX on Ubuntu 16.04 LTS.
In this instructions we will assume your web site is going to be hosted at www.site.com.
Install certbot
Add certbot repo/key:
sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot
Install certbot:
sudo apt-get update sudo apt-get install python-certbot-nginx
Install nginx:
sudo apt-get install nginx
Change nginx configuration for the site (assuming www.site.com):
cd /etc/nginx/sites-available/ sudo vi www.site.com ln -s www.site.com ../sites-enabled/www.site.com
Add to the configuration file listen 443 ssl; so it looks something like:
...
server {
...
listen 443 ssl;
...
}
...
Generate certificate
sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your_email@provider.com ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: www.site.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for www.site.com Waiting for verification... Cleaning up challenges Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/www.site.com for set(['www.site.com']) Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.site.com ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://www.site.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.site.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.site.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.site.com/privkey.pem Your cert will expire on 2018-02-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
your configuration file will be updated to include:
server {
...
ssl_certificate /etc/letsencrypt/live/www.site.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.site.com/privkey.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
...
}
try auto-update
sudo certbot renew --dry-run
Auto-renew using crontab
Let’s Encrypt’s certificates are only valid for ninety days.
To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.
sudo crontab -e
Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:
0 3 * * * /usr/bin/certbot renew --quiet
The 0 3 * * * part of this line means “run at 3:00 am, every day”
The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information nor wait for user input.
Change NGINX for stronger encryption
References:
- https://letsencrypt.org/
- https://certbot.eff.org/#ubuntutrusty-nginx
- https://certbot.eff.org/all-instructions/#ubuntu-16-04-xenial-nginx
- https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
- auto-renew: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
- strong encryption on NGINX: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
0 Comments