Lets encrypt.org setup guide with nginx and ubuntu - the manual guide: how to get a free SSL certificate
Letsencrypt.org is one of a few companies promoting internet encryption - by offering free trusted SSL certificates.
On this page we will run through the commands you can use to setup a free SSL cert on NGINX, and Ubuntu.
Prerequisites: ssh, root access, linux (in this case, ubuntu), git.
1: Clone the letsencrypt repository from github:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt2. Change directory:
cd /opt/letsencrypt3. Generate the certificate.
Note for this step to work, your A record for your domain must be pointing to the server, and the webroot must be already configured.
Replace example.com, and your --webroot-path directory:
./letsencrypt-auto certonly -a webroot --webroot-path=/home/user/www -d example.com -d www.example.com4. Your certificate will be at the following path:
/etc/letsencrypt/live/example.com/fullchain.pem.... If we list these files (ls /etc/letsencrypt/live/example.com/:
lrwxrwxrwx 1 root root 36 May 5 02:53 cert.pem -> ../../archive/example.com/cert1.pem
lrwxrwxrwx 1 root root 37 May 5 02:53 chain.pem -> ../../archive/example.com/chain1.pem
lrwxrwxrwx 1 root root 41 May 5 02:53 fullchain.pem -> ../../archive/example.com/fullchain1.pem
lrwxrwxrwx 1 root root 39 May 5 02:53 privkey.pem -> ../../archive/example.com/privkey1.pem5. Add the above to your nginx configuration (assuming you already have a server block with ssl setup, add the following lines)
server {
...
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
...6. While we are on the topic, here is how to make your NGINX SSL connection more secure:
First, run the following.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Then, add the following to above server block:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;Don’t forget to restart nginx once you finish!
sudo service nginx restartYou should now be able to visit your website at https://example.com, without any browser warnings and a high level of security.
Support
- GigaHosta LLC
- Terms
- Sitemap
- Affiliates
- Tools