1. Introduction
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
In this post, i’ll show you a step by step instructions how to install Let’s Encrypt Nginxon Ubuntu 16.04 and 18.04.
2. Prerequisites
In order to complete this tutorial, you will need :
- you will need to have an Ubuntu 16.04 and 18.04 server.
- Update your system:
sudo apt update && sudo apt upgrade
3. Install LetsEncrypt
In addition to being a certificate authority, Let’s Encrypt offers a tool that allows the automatic implementation of an SSL certificate for your domain name. To install this tool, it will be necessary to start by cloning the GitHub repository.
We will start by installing git on our server :
sudo apt-get update
sudo apt-get install gitNow that we have git, we will be able to clone the Let’s Encrypt client from the official Github repository. We will place this client in the /opt folder of our server.
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt --depth=1We will continue to use this repository to update the client, but we did not need to go back to earlier versions. After if we want to update the client, we will just make a sweater:
cd /opt/letsencrypt
sudo git pullLet’s Encrypt has an automatic mode that will install the necessary dependencies to the tool and set up the certificates according to your server configuration. This automatic installation works as part of an Apache web server but remains experimental for nginx. So let’s use let’s encrypt for certificate generation only.
In order to verify that you are the owner of the domain name for which you want to obtain a certificate, Let’s Encrypt will generate a file on your server and will then try to access it from their server. To distribute this file, it is possible to use a web server internal to Let’s Encrypt, but we can also choose to use our own Web server (here nginx). This is the second method that we will choose here because we do not want to interrupt nginx during the generation phase and obtaining the certificate. We will modify the configuration of our virtual host nginx:
server {
# .well-known doit resté accessible
location ~ /\.well-known/acme-challenge {
allow all;
}
# On interdit habituellement l'accès au dotfiles
location ~ /\. { deny all; access_log off; log_not_found off; }
}Once nginx is configured to send the files contained in this folder we can then use the webroot module to generate the certificate:
sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/mondomaine.fr -d mondomaine.frGenerated certificates and private keys are stored in the /etc/letsencrypt/live/ folder. It will then be necessary to modify our configuration nginx to take into account these certificates:
# Redirection http vers https
server {
listen 80;
listen [::]:80;
server_name mondomaine.fr;
location ~ /\.well-known/acme-challenge {
allow all;
}
location / {
return 301 https://mondomaine.fr$request_uri;
}
}
# Notre bloc serveur
server {
# spdy pour Nginx < 1.9.5
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
spdy_headers_comp 9;
# http2 pour Nginx >= 1.9.5
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name mondomaine.fr;
root /var/www/mondomaine.fr;
index index.html index.htm;
error_log /var/log/nginx/mondomaine.fr.log notice;
access_log off;
#### Locations
# On cache les fichiers statiques
location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { expires max; }
# On interdit les dotfiles
location ~ /\. { deny all; }
#### SSL
ssl on;
ssl_certificate /etc/letsencrypt/live/mondomaine.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mondomaine.fr/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/mondomaine.fr/fullchain.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 3s;
#### Session Tickets
# Session Cache doit avoir la même valeur sur tous les blocs "server".
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 24h;
ssl_session_tickets on;
# [ATTENTION] il faudra générer le ticket de session.
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
# [ATTENTION] Les paramètres Diffie-Helman doivent être générés
ssl_dhparam /etc/nginx/ssl/dhparam4.pem;
#### ECDH Curve
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
}Finally to generate the keys used for the sessions and the Diffie-Helman.
sudo mkdir -p /etc/nginx/ssl &&
sudo openssl rand 48 -out /etc/nginx/ssl/ticket.key &&
sudo openssl dhparam -out /etc/nginx/ssl/dhparam4.pem 40964. The renewal LetsEncrypt certificat
The certificates offered by Let’s Encrypt are valid for a period of 90 days. It will therefore be necessary to renew them before the end of this period. For this we can use the command:
/opt/letsencrypt/letsencrypt-auto renew
This command renews the certificates without any interaction from the user, so you can add it to the recurring tasks of your cron in order to renew the certificate after a certain period of time. This command checks the expiry date before starting the procedure so it can be programmed weekly
sudo crontab -e
30 3 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt/renewal.log
Leave a Reply