{"id":18,"date":"2017-02-21T14:52:00","date_gmt":"2017-02-21T14:52:00","guid":{"rendered":""},"modified":"2021-02-22T01:13:32","modified_gmt":"2021-02-22T01:13:32","slug":"lets-encrypt-free-grade-ssl-on-nginx","status":"publish","type":"post","link":"https:\/\/www.tech-and-dev.com\/blog\/2017\/02\/lets-encrypt-free-grade-ssl-on-nginx.html","title":{"rendered":"Let’s Encrypt Free A+ Grade SSL On Nginx & Ubuntu 16.04"},"content":{"rendered":"
\n
\n
<\/a><\/div>\n

Prerequisites:<\/h2>\n

LEMP on Ubuntu 16.04<\/a><\/p>\n

Start by updating apt indexes<\/h2>\n
sudo apt-get update<\/pre>\n
 <\/p>\n
Install Let’s Encrypt Package<\/h2>\n
(Known as certbot on Github (https:\/\/github.com\/certbot\/certbot))<\/p>\n
sudo apt-get install letsencrypt<\/pre>\n
<\/a>I’ll assume the domain name we are working on is called mysite.com<\/b> and you have installed and configured Nginx from the tutorial mentioned above.<\/p>\n
Open Nginx Configuration file<\/p>\n
sudo vi \/etc\/nginx\/sites-available\/mysite.com<\/pre>\n
 <\/p>\n
Make .well-known directory accessible<\/h2>\n
We do this because Let’s Encrypt will use .well-known directory to validate the SSL.
\nAdd it before denying hidden files (Entire configuration file is below)<\/p>\n
\u00a0\u00a0\u00a0 location ~ \/.well-known {<\/pre>\n
allow all;<\/p>\n
}<\/p>\n
 <\/p>\n
Test Nginx Syntax<\/h2>\n
sudo nginx -t<\/pre>\n
 <\/p>\n
Reload Nginx<\/h2>\n
sudo systemctl reload nginx<\/pre>\n
 <\/p>\n
Generate the Certificate<\/h2>\n
sudo letsencrypt certonly -a webroot --webroot-path=\/var\/www\/mysite.com\/html -d mysite.com -d www.mysite.com<\/pre>\n
The results will be similar to the following:<\/p>\n
IMPORTANT NOTES:
\n– Congratulations! Your certificate and chain have been saved at
\n\/etc\/letsencrypt\/live\/mysite.com\/fullchain.pem. Your
\ncert will expire on 2017-05-17. To obtain a new version of the
\ncertificate in the future, simply run Let’s Encrypt again.
\n– If you like Let’s Encrypt, please consider supporting our work by:<\/p>\n
Donating to ISRG \/ Let’s Encrypt:\u00a0\u00a0 https:\/\/letsencrypt.org\/donate
\nDonating to EFF:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 https:\/\/eff.org\/donate-le<\/p><\/blockquote>\n
 <\/p>\n
Generate a 2048 or 4096 bits Diffie Hellman Symmetric Key<\/h2>\n
I’ll generate the Diffie Hellman in Nginx installation to keep things organized, you can create it anywhere you want (If you create it somewhere else, make sure to edit the configuration file below to reflect your changes)<\/p>\n
sudo mkdir \/etc\/nginx\/ssl\r\nsudo openssl dhparam -out \/etc\/nginx\/ssl\/dhparam.pem 4096<\/pre>\n
This might take a while (4096 bits might take around 30 minutes on a modern CPU), but once it’s done, you will have a 4096 bits symmetric key<\/p>\n
Configuring Nginx to Read the Generated Certificates<\/h2>\n
By default Let’s Encrypt will store all the certificates (expired and running) in
\n\/etc\/letsencrypt\/archive\/mysite.com<\/span><\/b>
\nHowever, to avoid changing the nginx configuration file everytime, letsencrypt plugin will create a symlink to the latest generated certificate in
\n\/etc\/letsencrypt\/live\/mysite.com<\/b><\/span><\/p>\n
Let’s open Nginx configuration file:<\/p>\n
sudo vi \/etc\/nginx\/sites-available\/mysite.com<\/pre>\n
And add\/modify the new SSL location<\/p>\n
listen 443 ssl http2 default_server;\r\nssl_certificate \/etc\/letsencrypt\/live\/mysite.com\/fullchain.pem;\r\nssl_certificate_key \/etc\/letsencrypt\/live\/mysite.com\/privkey.pem;<\/pre>\n
Improve SSL Security to get Grade A+ on SslLabs
\nPaste the following below the certificates<\/p>\n
#From cipherli.st\r\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\nssl_prefer_server_ciphers on;\r\nssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";\r\nssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0\r\nssl_session_cache shared:SSL:10m;\r\nssl_session_tickets off; # Requires nginx >= 1.5.9\r\nssl_stapling on; # Requires nginx >= 1.3.7\r\nssl_stapling_verify on; # Requires nginx => 1.3.7\r\nresolver $DNS-IP-1 $DNS-IP-2 valid=300s;\r\nresolver_timeout 5s;\r\n##If you're not aware of how preload works, keep it disabled for now\r\n##More info on preload can be found in\r\n##blog.mozilla.org\/security\/2012\/11\/01\/preloading-hsts\r\n##&\r\n##hstspreload.org\r\n#add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\";\r\nadd_header Strict-Transport-Security \"max-age=63072000; includeSubDomains;\";\r\nadd_header X-Frame-Options DENY;\r\nadd_header X-Content-Type-Options nosniff;\r\n#Add Diffie Hellman that we have previously generated \r\nssl_dhparam \/etc\/nginx\/ssl\/dhparam.pem;<\/pre>\n
Make sure to replace $DNS-IP-1<\/span> $DNS-IP-2<\/span><\/b> with your DNS IPs, if you don’t know or don’t have any, you can replace them by Google’s DNS 8.8.8.8<\/span> <\/b>& 8.8.4.4<\/span><\/b>\u00a0<\/span><\/p>\n
The entire configuration file will look like:<\/p>\n
server {\r\n\u00a0\u00a0\u00a0 # Redirect to www\r\n\u00a0\u00a0\u00a0 server_name mysite.com;\r\n\u00a0\u00a0\u00a0 rewrite ^\/(.*)$ http:\/\/www.mysite.com\/$1 permanent;\r\n}<\/pre>\n
server {
\n# Domain name
\nserver_name www.mysite.com;<\/p>\n
# Location of files
\nroot \/var\/www\/mysite.com\/html;
\n# Location of access & error Logs
\naccess_log \/var\/log\/nginx\/www.mysite.com.access.log;
\nerror_log \/var\/log\/nginx\/www.mysite.com.error.log;<\/p>\n
# Listen to Port 80 (http)
\nlisten 80 default_server;<\/p>\n
#Listen on SSL
\nlisten 443 ssl http2 default_server;<\/p>\n
# ssl on;
\nssl_certificate \/etc\/letsencrypt\/live\/mysite.com\/fullchain.pem;
\nssl_certificate_key \/etc\/letsencrypt\/live\/mysite.com\/privkey.pem;<\/p>\n
#From cipherli.st
\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;
\nssl_prefer_server_ciphers on;
\nssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
\nssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
\nssl_session_cache shared:SSL:10m;
\nssl_session_tickets off; # Requires nginx >= 1.5.9
\nssl_stapling on; # Requires nginx >= 1.3.7
\nssl_stapling_verify on; # Requires nginx => 1.3.7
\nresolver 8.8.8.8 8.8.4.4 valid=300s;
\nresolver_timeout 5s;
\n##If you’re not aware of how preload works, keep it disabled for now
\n##More info on preload can be found in
\n##blog.mozilla.org\/security\/2012\/11\/01\/preloading-hsts
\n##&
\n##hstspreload.org\/
\n#add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
\nadd_header Strict-Transport-Security “max-age=63072000; includeSubDomains;”;
\nadd_header X-Frame-Options DENY;
\nadd_header X-Content-Type-Options nosniff;
\n#Add Diffie Hellman that we have previously generated
\nssl_dhparam \/etc\/nginx\/ssl\/dhparam.pem;<\/p>\n
# Default file to serve. If the first file isn’t found,
\nindex index.php index.html index.htm;<\/p>\n
# Don’t log favicons
\nlocation = \/favicon.ico {
\nlog_not_found off;
\naccess_log off;
\n}<\/p>\n
# Configuring robots.txt
\nlocation = \/robots.txt {
\nallow all;
\nlog_not_found off;
\naccess_log off;
\n}<\/p>\n
# Configure 404 Pages
\nerror_page 404 \/404.html;<\/p>\n
# Error 50x Pages
\nerror_page 500 502 503 504 \/50x.html;
\nlocation = \/50x.html {
\nroot \/usr\/share\/nginx\/www;
\n}<\/p>\n
location ~ \/.well-known {
\nallow all;
\n}<\/p>\n
# Denying all attempts to access hidden files .abcde
\nlocation ~ \/. {
\ndeny all;
\n}<\/p>\n
# Expiry date headers for static files and turn off logging.
\nlocation ~* ^.+.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
\naccess_log off; log_not_found off; expires 30d;
\n}<\/p>\n
# Rewrite rules, sends everything through index.php
\nlocation \/ {
\ntry_files $uri $uri\/ \/index.php?q=$uri&$args;
\n}<\/p>\n
# Deny access to PHP Files in the uploads directory
\nlocation ~* \/(?:uploads|files)\/.*.php$ {
\ndeny all;
\n}<\/p>\n
# Enable PHP Support
\nlocation ~ .php$ {
\ninclude snippets\/fastcgi-php.conf;
\nfastcgi_pass unix:\/run\/php\/php7.0-fpm.sock;
\n}<\/p>\n
# Enable Rewrite Rules for Yoast SEO SiteMap
\nrewrite ^\/sitemap_index.xml$ \/index.php?sitemap=1 last;
\nrewrite ^\/([^\/]+?)-sitemap([0-9]+)?.xml$ \/index.php?sitemap=$1&sitemap_n=$2 last;<\/p>\n
# Add trailing slash to *\/wp-admin requests.
\nrewrite \/wp-admin$ $scheme:\/\/$host$uri\/ permanent;
\n}<\/p>\n
Test Nginx Syntax<\/p>\n<\/div>\n
sudo nginx -t<\/pre>\n
Reload Nginx<\/p>\n
sudo systemctl reload nginx<\/pre>\n
 <\/p>\n
Renew Certificates Automatically<\/h2>\n
In order to renew the certificates automatically, we will setup a cron job. By default, Let’s Encrypt only renew a certificate 1 month before it expires (after 2 months out of 3), otherwise it will skip renewal. Therefore, we can run the cron job once every week (or less if you wish), and Let’s Encrypt will automatically skip or renew all the certificates.<\/p>\n
Open crontab as Root<\/p>\n
sudo crontab -e<\/pre>\n
Append the following 2 lines at the end of the file<\/p>\n
0 0 * * 0 letsencrypt renew\u00a0 >> \/var\/log\/letsEncryptAutoRenew.log\r\n0 0 * * 0 systemctl reload nginx<\/pre>\n
Configure the Ubuntu Firewall To Allow HTTPS<\/p>\n
sudo ufw allow 'Nginx HTTPS'<\/pre>\n
or<\/p>\n
sudo ufw allow 'Nginx Full'\r\nsudo ufw delete allow 'Nginx HTTP'<\/pre>\n
 <\/p>\n
Test your site SSL on SSL Labs<\/h2>\n
https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=mysite.com<\/a><\/p>\n
Questions or comments? Leave them below!<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Prerequisites: LEMP on Ubuntu 16.04 Start by updating apt indexes sudo apt-get update   Install Let’s Encrypt Package (Known as certbot on Github (https:\/\/github.com\/certbot\/certbot)) sudo apt-get install letsencrypt I’ll assume the domain name we are working on is called mysite.com and you have installed and configured Nginx from the tutorial mentioned above. Open Nginx Configuration […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,27,28,4],"tags":[],"class_list":["post-18","post","type-post","status-publish","format-standard","hentry","category-linux","category-nginx","category-security","category-ubuntu"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/18","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/comments?post=18"}],"version-history":[{"count":3,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/18\/revisions"}],"predecessor-version":[{"id":382,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/18\/revisions\/382"}],"wp:attachment":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/media?parent=18"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/categories?post=18"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/tags?post=18"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}