wiki

server | ssl

SSl from letsencrypt.org

How to get an X.509 (DV) certificate from letsencrypt.org for nginx running on ubuntu.

First make sure that nginx can read the needed hidden folders:

sudo nano /etc/nginx/sites-enabled/yourdomain.com.conf

and add:

# Allow access to the ACME Challenge for Let’s Encrypt
location ~ /\.well-known\/acme-challenge {
    allow all;
}

reload nginx:

sudo nginx -t

sudo service nginx reload

The tool is called certbot on some sytems and letsencrypt on others. Check and install it:

apt show letsencrypt

apt show certbot

sudo apt-get install letsencrypt

Generate Diffie-Hellman (DH) parameters if the pem file does not exist:

openssl dhparam -out dhparams_4096.pem 4096

Get certificate for xmpl.com and www.xmpl.com with hsts disabled (preferred):

sudo letsencrypt certonly --email name.surname@gmail.com --agree-tos --rsa-key-size 4096 --webroot -w /path/example -d xmpl.com -d www.xmpl.com

Get certificate for xmpl.com and www.xmpl.com with hsts enabled:

sudo letsencrypt certonly --email name.surname@gmail.com --hsts --agree-tos --rsa-key-size 4096 --webroot -w /path/example -d xmpl.com -d www.xmpl.com

You can get one certificate ans use it with various websites:

letsencrypt certonly --email name.surname@gmail.com --webroot -w /path/dom1 -d dom1.com -d www.dom1.com -w /path/dom2 -d dom2.com -d www.dom2.com

You can find the obtained certificates and the private key files here:

/etc/letsencrypt/live/xmpl.com/

To find out more about a certificate, run:

sudo openssl x509 -noout -text -in /etc/letsencrypt/live/your_domain_name/cert.pem

sudo openssl x509 -noout -text -in /etc/letsencrypt/live/your_domain_name/cert.pem | grep Issuer:

Let's Encrypt creates symbolic links to the most recent certificate files in the /etc/letsencrypt/live/your_domain_name directory. Because the links will always point to the most recent certificate files, this is the path that you should use to refer to your certificate files. You can check that the files exist by running this command:

sudo ls -l /etc/letsencrypt/live/your_domain_name

Now is a good time to backup the entire /etc/letsencrypt directory to a really secure location. In addition to the certificate, this dir also contains your Let’s Encrypt account key.

tar zcvf /where_to_backup/letsencrypt_backup_$(date +'%Y-%m-%d_%H%M').tar.gz /etc/letsencrypt

To restore, run:

tar zxvf /where_to_backup/letsencrypt_backup_ZZZZZZZZZZZz.tar.gz -C /

Reference:

letsencrypt.org

Add the certificate and key inside the server block of your domain:

server{

   listen 443 ssl;
    server_name  yourdomain.com  www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
 ...
}

Redirect the traffic from HTTP to HTTPs by adding another server block outside the earlier one:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

restart nginx:

sudo nginx -t

sudo service nginx restart

Harden nginx by using Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits. (This takes a very long time to generate):

sudo openssl dhparam -out /etc/letsencrypt/dhparams_4096.pem 4096

Edit your website's nginx config file:

sudo nano /etc/nginx/sites-available/yourdomain.com.conf

and add the following line in the server block:

ssl_dhparam /etc/letsencrypt/dhparams_4096.pem;

restart nginx:

sudo nginx -t

sudo service nginx restart

More info:

railean raymii

If you use OCSP in /etc/nginx/sites-enabled/yourdomain.com.conf then you can check it with:

openssl s_client -connect r45.red:443 -tls1_2 -tlsextdebug -status

openssl s_client -connect r45.red:443 -tls1 -tlsextdebug -status

You should get a result containing:

OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

More info:

wiki stackexchange

Certificates last 90 days. To renew:

sudo letsencrypt renew --dry-run

sudo letsencrypt renew

You can do this with cron but this does not restart nginx after a renewal:

sudo crontab -e

and add the line:

@midnight letsencrypt renew >> /var/log/le-renew.log

(The output produced by the command will be piped to a log file located at /var/log/le-renewal.log)

To renew a single certificate with changed web folder use:

sudo letsencrypt certonly --webroot -w /var/www/html/folder -d example.com -d www.example.com

You can also add a more complex script as a cron job or systemd timer to automate renewal. See:

archlinux bjornj ashleyn

Create a checking and renewing script:

sudo nano /usr/local/bin/cert_check

and paste the script:

#!/bin/sh
# This script renews all the Let's Encrypt certificates with a validity < 30 days

if ! letsencrypt renew > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1
fi
nginx -t && nginx -s reload

Make it executable:

sudo chmod 755 /usr/local/bin/cert_check

Add it to crontab:

sudo crontab -e

and add the line:

@weekly /usr/local/bin/cert_check

Here is a full /etc/nginx/sites-enabled/yourdomain.com.conf:

server {
    listen 80;
    listen [::]:80;

    server_name r45.red;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /home/skolem/www/r45.red;

    index index.html;

    server_name r45.red;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/r45.red/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/r45.red/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    ssl_dhparam /etc/letsencrypt/dhparams_4096.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
    }

    # Allow access to the ACME Challenge for Let’s Encrypt
    location ~ /\.well-known\/acme-challenge {
        allow all;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php5-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php5-fpm:
    #       fastcgi_pass unix:/var/run/php5-fpm.sock;
    #}

}

server | ssl

SSl from letsencrypt.org

How to get an X.509 (DV) certificate from letsencrypt.org for nginx running on ubuntu.

Reference:

After you get the certificate, use Mozilla SSL Configuration Generator:

Checking a certificate:

Getting high results:

Extra: Some info on buying a certificate:

Extra: htaccess guide:

First make sure that nginx can read the needed hidden folders:

and add:

reload nginx:

The tool is called certbot on some sytems and letsencrypt on others. Check and install it:

Generate Diffie-Hellman (DH) parameters if the pem file does not exist:

Get certificate for xmpl.com and www.xmpl.com with hsts disabled (preferred):

Get certificate for xmpl.com and www.xmpl.com with hsts enabled:

You can get one certificate ans use it with various websites:

You can find the obtained certificates and the private key files here:

To find out more about a certificate, run:

Now is a good time to backup the entire /etc/letsencrypt directory to a really secure location. In addition to the certificate, this dir also contains your Let’s Encrypt account key.

To restore, run:

Reference:

Add the certificate and key inside the server block of your domain:

Redirect the traffic from HTTP to HTTPs by adding another server block outside the earlier one:

restart nginx:

Harden nginx by using Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits. (This takes a very long time to generate):

Edit your website's nginx config file:

and add the following line in the server block:

restart nginx:

More info:

If you use OCSP in /etc/nginx/sites-enabled/yourdomain.com.conf then you can check it with:

You should get a result containing:

More info:

Certificates last 90 days. To renew:

You can do this with cron but this does not restart nginx after a renewal:

and add the line:

(The output produced by the command will be piped to a log file located at /var/log/le-renewal.log)

To renew a single certificate with changed web folder use:

You can also add a more complex script as a cron job or systemd timer to automate renewal. See:

Create a checking and renewing script:

and paste the script:

Make it executable:

Add it to crontab:

and add the line:

Here is a full /etc/nginx/sites-enabled/yourdomain.com.conf: