How to Install Let’sEncrypt to work with Nginx HTTPS on Ubuntu Server

By | March 20, 2016

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

◾ Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
◾ Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
◾ Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
◾ Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
◾ Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
◾ Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

To benefit fully from this guide I recommend that you learn by practice. Choose Your VPS Plan here at DigitalOcean, or HostGator has quality virtual private server (VPS) server packages. Sign Up for VPS HERE Now!

The New HostGator VPS Is Stronger Than Ever!

A HostGator VPS is completely customizable and can be upgraded any time as your site grows. Full root access allows you total control, as well as the ability to install advanced software and completely customize your hosting environment. It truly is dedicated functionality without the expense.

Download and install git to your system.

root@gs01:~# apt-get install git

Download, Clone and Install Let’s Encrypt

root@gs01:~#sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Change directory

root@gs01:~# cd /opt/letsencrypt
root@gs01:/opt/letsencrypt#

Create an SSL Certificate
Let’s Encrypt automatically performs Domain Validation (DV) using a series of challenges. The Certificate Authority (CA) uses challenges to verify the authenticity of your computer’s domain. Once your server is validated, the CA will issue SSL certificates to you.

Run Let’s Encrypt with the –standalone parameter. For each additional domain name requiring a certificate, add -d example.com to the end of the command.

To obtain a cert I used the Webroot plugin to request an SSL certificate with these commands.

root@gs01:/opt/letsencrypt#./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/YourFolder/public_html -d magwinya.co.za -d www.magwinya.co.za

Specify an administrative email address. This will allow you to regain control of a lost certificate and receive urgent security notices if necessary. Press TAB followed by ENTER or RETURN to save.

Agree to the Terms of Service.

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to youremail@yourdoamin.whatever.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/magwinya.co.za/fullchain.pem. Your cert will
   expire on 2016-06-18. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Configure Your Nginx Server Block to look as follows:

root@gs01:~# cat /etc/nginx/sites-available/magwinya.co.za
# You may add here your
# server {
#       ...
# }
# statements for each of your virtual hosts to this file

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Server Block Configuration for magwinya.co.za
server {
        listen 8080;
#       listen [::]:81 default_server ipv6only=on;

        root /var/www/YourFolder/public_html;
        index index.php index.html index.htm;

        location ^~ /.well-known/ {
        allow all;
        }

        ssl on;
        #listen [::]:443 ipv6only=on;
        listen 443;
        # Make site accessible from http://localhost/
        server_name magwinya.co.za www.magwinya.co.za;
        # rewrite     ^   https://my.magwinya.co.za$request_uri? permanent;

        ssl_certificate /etc/letsencrypt/live/magwinya.co.za/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/magwinya.co.za/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        # force https-redirects
        if ($scheme = http) {
        return 301 https://www.magwinya.co.za$request_uri;
        }


        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ /index.php?q=$uri&$args;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        location /doc/ {
                alias /usr/share/doc/;
                autoindex on;
                allow 127.0.0.1;
                allow ::1;
                deny all;
        }

        # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
        #location /RequestDenied {
        #       proxy_pass http://127.0.0.1:8080;
        #}

        error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
        #       fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #       # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        #
        #       # With php5-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht/ {
                deny all;
        }
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#       listen 8000;
#       listen somename:8080;
#       server_name somename alias another.alias;
#       root html;
#       index index.html index.htm;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}


# HTTPS server
#
#server {
#       listen 443;
#       server_name localhost;
#
#       root html;
#       index index.html index.htm;
#
#       ssl on;
#       ssl_certificate cert.pem;
#       ssl_certificate_key cert.key;
#
#       ssl_session_timeout 5m;
#
#       ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#       ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#       ssl_prefer_server_ciphers on;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}
root@gs01:~#

Manage the Nginx Process

Now that you have your certificate up and running, we can go over some basic management commands.

To stop and then start the service again, type:

root@gs01:~# service nginx restart
root@gs01:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@gs01:~#

Now browse your site and i should be using HTTPS.

Renewing a or Multiple Certificates.

Once you have your certificate setup, you can add a simple shell cron entry to renew the certificate automatically for you:

Change Directory.

root@gs01:~# cd /usr/local/bin

Create a shell script and renew certificates

root@gs01:/usr/local/bin#vi letsencrypt-auto-renew.sh

And then copy and paste this shell script:

#!/bin/bash
#
# Created by Geneva Sibanda 
# For All His eSG NETWORKS - Ubuntu Nginx Web Hosting Servers.
# https://www.esgnet.co.za
#
###########################################
#                                         #
# Execute the Let'sEncrypt-auto renew     #
#                                         #
###########################################
##    all actions and set full path too  ##
web_service='nginx'
cd /opt/letsencrypt
./letsencrypt-auto renew
sudo git pull
# We All Have To Do Something Meaningful In Life.
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
exit 0

Create a new cron job that will execute the letsencrypt-auto renew.

root@gs01:/usr/local/bin#crontab -e 

30 2 * * 1 bash /usr/local/bin/letsencrypt-auto-renew.sh

Save and exit: Now every Monday at 2:30 am, the command will run, check and update your SSL certificate.

Conclusion

That’s it! Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content.

3 thoughts on “How to Install Let’sEncrypt to work with Nginx HTTPS on Ubuntu Server

  1. Pritam

    Really great article. The way you describes the whole thing is really appreciable. Thanks for sharing such an informative article. Looking for same type of great articles in near future. Great Job 🙂

    Reply
  2. Pingback: $10 Credits For VPS Hosting When You Sign Up for DigitalOcean today! - Magwinya Wired

Leave a Reply

Your email address will not be published. Required fields are marked *