LINUX , DEVOPS

Let’s Encrypt, NGINX and Ubuntu

#nginx , #ubuntu

Let’s Encrypt has entered Public Beta. Let’s try to test it. I will show simple way how to configure Let’s Encrypt for NGINX on Ubuntu. You can read more about installation and configuration at https://letsencrypt.readthedocs.org/en/latest/

Clone letsentrypt repository from github:

git clone https://github.com/letsencrypt/letsencrypt

We need to stop NGINX.

sudo service nginx stop

Now let’s install client (it will install all required dependencies via apt-get), run it and create certificates. At the moment plugin for NGINX is not installed by default (experimental) so we will generate only certificates.

cd letsencrypt
./letsencrypt-auto certonly

Enter your e-mail address.

Let's Encrypt - enter e-mail
Let's Encrypt - enter e-mail

Accept terms of service.

Let's Encrypt - Terms of Service
Let's Encrypt - Terms of Service

Enter domain.

Let's Encrypt - enter domain
Let's Encrypt - enter domain

You will see some important information:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to E_MAIL ADDRESS.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   etc/letsencrypt/live/eshlox.net/fullchain.pem. Your cert will
   expire on 2016-03-02. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Start NGINX.

sudo service nginx start

Now we need to configure NGINX. You can use Mozilla SSL Configuration Generator. Here is the most important part of my NGINX configuration:

server {
        listen 80;
        server_name eshlox.net www.eshlox.net;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        server_name eshlox.net www.eshlox.net;

        ssl_certificate /etc/letsencrypt/live/eshlox.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/eshlox.net/privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # openssl dhparam -out dhparam.pem 2048
        ssl_dhparam /etc/nginx/dhparam.pem;

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

        add_header Strict-Transport-Security max-age=15768000;

        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/letsencrypt/live/eshlox.net/chain.pem;

        # FURTHER CONFIGURATION IS REMOVED
        # because it's not related to Let's Encrypt
}

First part is only to redirect from HTTP to HTTPS. Second part is related to SSL configuration. As you can see all certificates exist in /etc/letsencrypt/live/YOUR_DOMAIN. We need to create dhparap.pem file. You can read more about it here and here. Openssl command above ssl_dhparam allows you to generate this file.

That’s all. Reload NGINX to load new configuration.

sudo service nginx reload

My blog uses Let’s Encrypt so you can see how it works. ;-)

Let me know if something doesn’t work!