HTTPS using Let’s Encrypt and NGINX on Ubuntu 16.04 LTS.

In this instructions we will assume your web site is going to be hosted at www.site.com. 

Install certbot

Add certbot repo/key:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot

Install certbot:

sudo apt-get update
sudo apt-get install python-certbot-nginx

Install nginx:

sudo apt-get install nginx

Change nginx configuration for the site (assuming www.site.com):

cd /etc/nginx/sites-available/
sudo vi www.site.com

ln -s www.site.com ../sites-enabled/www.site.com

Add to the configuration file listen 443 ssl; so it looks something like:

...
server {
   ...
   listen 443 ssl;
   ...
}
...

Generate certificate

sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): your_email@provider.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: www.site.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.site.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/www.site.com for set(['www.site.com'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.site.com

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.site.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.site.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.site.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.site.com/privkey.pem
   Your cert will expire on 2018-02-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

your configuration file will be updated to include:

server {
   ...

   ssl_certificate /etc/letsencrypt/live/www.site.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/www.site.com/privkey.pem; # managed by Certbot

   if ($scheme != "https") {
       return 301 https://$host$request_uri;
   } # managed by Certbot

   ...
}

try auto-update

sudo certbot renew --dry-run

Auto-renew using crontab

Let’s Encrypt’s certificates are only valid for ninety days.

To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo crontab -e

Your text editor will open the default crontab which is a text file with some help text in it. Paste in the following line at the end of the file, then save and close it:

0 3 * * * /usr/bin/certbot renew --quiet

The 0 3 * * * part of this line means “run at 3:00 am, every day”

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information nor wait for user input.

Change NGINX for stronger encryption

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

References:


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *