Difference between revisions of "HTTPS with Letsencrypt on Nginx"

From Knowledge Center
Jump to: navigation, search
(Created page with "In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website. ***Dependencies and Permissions*** Setup Dependenci...")
 
Line 1: Line 1:
 
In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website.
 
In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website.
  
***Dependencies and Permissions***
+
'''Dependencies and Permissions'''
  
 
Setup Dependencies and create the dhparam cert:
 
Setup Dependencies and create the dhparam cert:
Line 20: Line 20:
 
</pre>
 
</pre>
  
***Configuration***
+
'''Configuration'''
  
 
Configure: <code>/etc/nginx/snippets/letsencrypt.conf</code>.
 
Configure: <code>/etc/nginx/snippets/letsencrypt.conf</code>.
Line 74: Line 74:
 
</pre>
 
</pre>
  
***Letsencrypt***
+
'''Letsencrypt'''
  
 
Use cerbot to create the certificates:
 
Use cerbot to create the certificates:
Line 153: Line 153:
 
</pre>
 
</pre>
  
***Certbot Renew Script***
+
'''Certbot Renew Script'''
  
 
Setup cron: <code>/etc/cron.d/certbot</code>
 
Setup cron: <code>/etc/cron.d/certbot</code>
Line 167: Line 167:
 
</pre>
 
</pre>
  
***Resources:***
+
'''Resources:'''
  
 
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-16-04/
 
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-16-04/

Revision as of 18:22, 9 January 2019

In this tutorial I will setup a certificate with Letsencrypt and Configure Nginx to host the Certificate for our Website.

Dependencies and Permissions

Setup Dependencies and create the dhparam cert:

$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ apt update
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create Directories and Permissions:

$ mkdir -p /var/lib/letsencrypt/.well-known
$ chgrp www-data /var/lib/letsencrypt
$ chmod g+s /var/lib/letsencrypt

Configuration

Configure: /etc/nginx/snippets/letsencrypt.conf.

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

Configure: /etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Configure: /etc/nginx/sites-available/mywebsite.co.za.conf

server {
  listen 80;
  server_name mywebsite.co.za www.mywebsite.co.za;

  include snippets/letsencrypt.conf;
}

Setup Symbolic links:

$ sudo ln -s /etc/nginx/sites-available/mywebsite.co.za.conf /etc/nginx/sites-enabled/mywebsite.co.za.conf
$ sudo systemctl reload nginx

Letsencrypt

Use cerbot to create the certificates:

$ sudo certbot certonly --agree-tos --email ruan@ruanbekker.com --webroot -w /var/lib/letsencrypt/ -d mywebsite.co.za -d www.mywebsite.co.za

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mywebsite.co.za
http-01 challenge for www.mywebsite.co.za
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mywebsite.co.za/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mywebsite.co.za/privkey.pem
   Your cert will expire on 2018-10-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Configure: /etc/nginx/sites-available/mywebsite.co.za.conf

server {
    listen 80;
    server_name www.mywebsite.co.za mywebsite.co.za;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.mywebsite.co.za;

    ssl_certificate /etc/letsencrypt/live/mywebsite.co.za/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.co.za/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mywebsite.co.za/chain.pem;
    include snippets/ssl.conf;

    location / {
      root /usr/share/nginx/html/;
    }

}

Reload Nginx:

$ sudo systemctl reload nginx

Certbot Renew Script

Setup cron: /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

Test the renew action in dry-run mode:

$ sudo certbot renew --dry-run

Resources:

https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-16-04/