Let’s Encrypt, NGINX and Ubuntu
Let’s Encrypt has entered Public Beta. Let's try to test it. I will show simple way how to configure Let's Encrypt for NGINX on Ubuntu. You can read more about installation and configuration at https://letsencrypt.readthedocs.org/en/latest/
Clone letsentrypt repository from github:
git clone https://github.com/letsencrypt/letsencrypt
We need to stop NGINX.
sudo service nginx stop
Now let's install client (it will install all required dependencies via apt-get), run it and create certificates. At the moment plugin for NGINX is not installed by default (experimental) so we will generate only certificates.
cd letsencrypt
./letsencrypt-auto certonly
Enter your e-mail address.
Accept terms of service.
Enter domain.
You will see some important information:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to E_MAIL ADDRESS.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
etc/letsencrypt/live/eshlox.net/fullchain.pem. Your cert will
expire on 2016-03-02. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Start NGINX.
sudo service nginx start
Now we need to configure NGINX. You can use Mozilla SSL Configuration Generator. Here is the most important part of my NGINX configuration:
server {
listen 80;
server_name eshlox.net www.eshlox.net;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name eshlox.net www.eshlox.net;
ssl_certificate /etc/letsencrypt/live/eshlox.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/eshlox.net/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/eshlox.net/chain.pem;
# FURTHER CONFIGURATION IS REMOVED
# because it's not related to Let's Encrypt
}
First part is only to redirect from HTTP to HTTPS. Second part is related to SSL configuration. As you can see all certificates exist in /etc/letsencrypt/live/YOUR_DOMAIN. We need to create dhparap.pem file. You can read more about it here and here. Openssl command above ssl_dhparam allows you to generate this file.
That's all. Reload NGINX to load new configuration.
sudo service nginx reload
My blog uses Let's Encrypt so you can see how it works. ;-)
Let me know if something doesn't work!