Tuesday, April 5, 2016

How to Install FREE SSL Certificate from Let's Encrypt using Nginx

Yes! Finally FREE SSL Certificate issued by a trusted issuer!

Too good to be true? That is exactly what I thought at first also. But I decided to try it and was pleasantly surprised. Yes, it works! Plus it is faster and easier than buying and installing a paid version.

What is Let's Encrypt?

Let's Encrypt is an open source project created specifically to disrupt or solve the SSL certificate issue. I have always wondered why we always have to pay for a freaking certificate (especially just for domain validation) while we do most of the work validating our own control / ownership of the domain?!?  Sure, $10 / year does not break the bank, but it is still a good for lunch money :-)

How does Let's Encrypt work?

Let's Encrypt comes with a command line script called 'letsencrypt-auto'. I believe it was scripted using Python.  You just simply execute that script with all the parameters to request, generate and install the certificates in your server.

When execute 'letsencrypt-auto' script, it makes a request to Let's Encrypt server which will attempt to verify your domain by making a request at 'each' domain name you request certificate for (this is how it verify you are in control of your domain). So you need to have a working web server capable of serving http / https such as Apache / Nginx.

Here is an example command:

./letsencrypt-auto certonly --webroot -w /usr/share/www -d domain.com -d www.domain.com

The above command will tell Let's Encrypt server to check for

http://domain.com/.well-known/acme-challenge/{some mambo jumbo long file name}

http://www.domain.com/.well-known/acme-challenge/{some mambo jumbo long file name}

The {some mambo jumbo long file name} will contain some secret data, which Let's Encrypt has placed there before requesting the remote check. If the secret information matches... then your request will be considered valid and it will generate your certificate and place them in the following directory:

cd /etc/letsencrypt/live/domain.com/

 which will contain the following files:

cert.pem  chain.pem  fullchain.pem  privkey.pem


Generate Strong Diffie-Hellman 2048-bit Group

For extra security I also recommend for you to generate Strong Diffie-Hellman Group bit group

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


Use the SSL Certificate in Nginx

I use usually use two Nginx virtual host configuration files:  'default' and 'default-ssl'

default is usually for port 80 HTTP protocol
default-ssl is usually for port 443 HTTPS protocol


In this example, I will show you how to serve 100% SSL (HTTPS only) for your entire website which is recommended by Google.

Edit your 'default' configuration:

nano /etc/nginx/sites-available/default

Here is the entire content of my 'default' configuration file:

server {
listen   80 default; ## listen for ipv4; this line is default and implied
listen   [::]:80 default ipv6only=on; ## listen for ipv6

root /usr/share/www;

server_name www.domain.com domain.com;

return 301 https://$host$request_uri;
}

Edit your 'default-ssl' configuration:

nano /etc/nginx/sites-available/default-ssl

Here is the entire content of my 'default-ssl' configuration file:

# HTTPS server
#
server {
listen 443 default;
server_name www.domain.com domain.com;

root /usr/share/www;
index index.php index.html index.htm;

ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


{ ...  more configuration here ... }

}


Restart and Test

Restart Nginx using this command:

service nginx restart


Go to your favorite browser and you should see this:



How to Renew / Automatically Renew

To renew manually just re-execute the same command when you generate the SSL certificate the first time. Which will prompt you with a chose to regenerate or renew like this:


To renew just select #2 and select 'OK', then restart Nginx web server.

Enjoy FREE SSL from Let's Encrypt

I know I will, I hope this helps somebody.

A BIG Thank You! to Let's Encrypt organization :-)))




Posted by at No comments:
Subscribe to: Posts (Atom)