Lets encrypt.org setup guide on nginx and ubuntu (free SSL certificates)

Letsencrypt.org is one of a few companies promoting internet encryption - by offering free trusted SSL certificates. 


I’ll run through the commands I used to setup a free SSL cert on NGINX, and Ubuntu.

Prerequirements: ssh, root access, linux (in this case, ubuntu). If you are running a shared cPanel server or similar, it is better to run the following commands on your local machine (or get someone to do it for you)...

1.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

2.

cd /opt/letsencrypt

3.

 ./letsencrypt-auto certonly -a webroot --webroot-path=/home/user/www -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com, and your root web directory.

4.

Your certificate will be here:

/etc/letsencrypt/live/yourdomain.com/fullchain.pem.

Listing files…

 

lrwxrwxrwx 1 root root 36 May  5 02:53 cert.pem -> ../../archive/yourdomain.com/cert1.pem
lrwxrwxrwx 1 root root 37 May  5 02:53 chain.pem -> ../../archive/yourdomain.com/chain1.pem
lrwxrwxrwx 1 root root 41 May  5 02:53 fullchain.pem -> ../../archive/yourdomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 39 May  5 02:53 privkey.pem -> ../../archive/yourdomain.com/privkey1.pem

5.

Add the above to your nginx configuration (assuming you already have a server block with ssl setup, add the following lines)

server {
...
        ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

While we are on the topic, here is how to make your NGINX SSL connection more secure:

1.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

2. Add the following to above server block

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

Don’t forget to restart nginx once you finish!

sudo service nginx restart
  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

How can I install an SSL certificate via cPanel?

After you have purchase or generate an SSL certificate, you will need to install it.Please log...