How To Setup LetsEncrypt SSL Certificates For nginx On Ubuntu 14.04

A simple walkthrough to setup LetsEncrypt on a fresh Ubuntu 14.04 server running nginx.

Part-1: Basic Server Setup

We are assuming that this is a brand new server. So some basic housekeeping:

Update Server

sudo apt-get update
sudo apt-get install -y htop vim

Add User Ubuntu

adduser ubuntu
#pwd: Enter the password you want yo use with the user ubuntu, You will also be asked to enter some additional details like name, address,.. you can add relevant details and leave the rest
usermod -aG sudo ubuntu

Grant sudo priveleges to user ubuntu

sudo visudo
#then add the following line:
ubuntu ALL=(ALL) NOPASSWD:ALL

Switch to the new user ubuntu:

sudo su — ubuntu

Install Nginx server (basic)

sudo apt-get install -y nginx

Part-2: Setting up LetsEncrypt

2.1 Initial setup

We will use a tool called certbot to issue letsencrypt certificates for us.

Install certbot:

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

add the following lines to the server block your nginx config. probably located at any of the following locations / similar location:

/etc/nginx/sites-enabled/domain.conf
/etc/nginx/conf.d/default
/etc/nginx-sp/nginx.conf.default
/etc/nginx-sp/vhosts.d/domain.conf

location ~ /.well-known {
allow all;
}

Restart nginx (either of the following commands should work)

sudo service nginx restart
sudo service nginx-sp restart

#issue certificates. You will need to provide a contact email address in the following line

sudo certbot certonly — webroot — webroot-path=<filepath of website files/content> -d <domain.com> -d <subdomain.domain.com>

#Generate strong DH Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now nginx config needs to be updated again to listen to port 443 and use the certificates we just generated.

Comment out the lines that look like the following:

listen 80 default_server;
listen [::]:80 default_server;

And add the following:

# SSL Configuration 
listen 443 ssl;
server_name <domain.com> <subdomain.domain.com>;
ssl_certificate /etc/letsencrypt/live/<domain.com>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain.com>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

Add the following block to redirect all http traffic to https:

server {
listen 80;
server_name <domain.com> <subdomain.domian.com>;
return 301 https://$host$request_uri;
}

Restart nginx server for the changes to take effect

2.2 Set up auto renew

Letsencrypt certificates need to be renewed every 90 days. So need to make the following changes.

Make sure you are logged in as root:

sudo su — root

then open crontab

crontab -e

Add the following line and exit

15 3 * * * /usr/bin/certbot renew --quiet --renew-hook “/usr/sbin/service nginx reload”

The above command will check if your certificate needs renewal every day

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.