Let’s Encrypt is an open certificate authority developed by the Internet Security Research Group (ISRG). Certificates issued by Let’s Encrypt are trusted by almost all browsers today. And what’s great is that it is free.
This tutorial provides a step by step instructions about how to secure your Nginx server with SSL.
Install Certbot
Certbot automate the obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers.
The following command will install the certbot package:
|
1 |
sudo yum install certbot |
Generate Strong Dh (Diffie-Hellman) Group
Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel.
Generate a new set of 2048 bit DH parameters by typing the following command:
|
1 |
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
Obtaining a Let’s Encrypt SSL certificate
To simplify steps obtaining an SSL certificate for our domain let’s use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory.
To create the directory and make it writable for the Nginx server type the following commands:
|
1 2 3 |
sudo mkdir -p /var/lib/letsencrypt/.well-known sudo chgrp nginx /var/lib/letsencrypt sudo chmod g+s /var/lib/letsencryp |
Create the following two snippets to avoid boilerplate code which we’re going to include in all our Nginx server block files:
|
1 |
sudo mkdir /etc/nginx/snippets |
|
1 2 3 4 5 6 |
location ^~ /.well-known/acme-challenge/ { allow all; root /var/lib/letsencrypt/; default_type "text/plain"; try_files $uri =404; } |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; |
Reload the Nginx configuration to activate changes:
|
1 |
sudo systemctl reload nginx |
Type the following run Certbot command to obtain the SSL certificate files for your domain:
|
1 |
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com |
Auto renewal certificates
Run the next command, which will add a cron job to the default crontab:
|
1 |
echo "0 0,12 * * * sudo certbot renew --post-hook 'systemctl restart nginx'" | sudo tee -a /etc/crontab > /dev/null |
Additional links
If you need more information about using Certbot, you can check the official Certbot documentation.
