Difference between revisions of "HTTPS with Letsencrypt on Nginx"

From Knowledge Center
Jump to: navigation, search
(Created page with "In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website. ***Dependencies and Permissions*** Setup Dependenci...")
(No difference)

Revision as of 18:21, 9 January 2019

In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website.

      • Dependencies and Permissions***

Setup Dependencies and create the dhparam cert:

$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ apt update
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create Directories and Permissions:

$ mkdir -p /var/lib/letsencrypt/.well-known
$ chgrp www-data /var/lib/letsencrypt
$ chmod g+s /var/lib/letsencrypt
      • Configuration***

Configure: /etc/nginx/snippets/letsencrypt.conf.

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;

Configure: /etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Configure: /etc/nginx/sites-available/mywebsite.co.za.conf

server {
  listen 80;
  server_name mywebsite.co.za www.mywebsite.co.za;

  include snippets/letsencrypt.conf;

Setup Symbolic links:

$ sudo ln -s /etc/nginx/sites-available/mywebsite.co.za.conf /etc/nginx/sites-enabled/mywebsite.co.za.conf
$ sudo systemctl reload nginx
      • Letsencrypt***

Use cerbot to create the certificates:

$ sudo certbot certonly --agree-tos --email ruan@ruanbekker.com --webroot -w /var/lib/letsencrypt/ -d mywebsite.co.za -d www.mywebsite.co.za

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mywebsite.co.za
http-01 challenge for www.mywebsite.co.za
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-10-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Configure: /etc/nginx/sites-available/mywebsite.co.za.conf

server {
    listen 80;
    server_name www.mywebsite.co.za mywebsite.co.za;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl http2;
    server_name www.mywebsite.co.za;

    ssl_certificate /etc/letsencrypt/live/mywebsite.co.za/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.co.za/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mywebsite.co.za/chain.pem;
    include snippets/ssl.conf;

    location / {
      root /usr/share/nginx/html/;


Reload Nginx:

$ sudo systemctl reload nginx
      • Certbot Renew Script***

Setup cron: /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

Test the renew action in dry-run mode:

$ sudo certbot renew --dry-run
      • Resources:***