Install Let’s Encrypt SSL to create SSL certificates settled nginx HTTPS

Install Let’s Encrypt SSL to create SSL certificates settled nginx HTTPS

Profile picture for user a65162

Introduction

Let’s Encrypt SSL provides you a free SSL certificate that'll save your money. If your budget is limited, you can try to use this service.

In this article, I'm going to record how to get a free SSL certificate and configure Nginx HTTPS. 

Download Let’s Encrypt SSL

Step 1

Open the terminal, then type sudo apt-get install certbot to install certbot.

ss

Step 2

You have to create a folder called .well-known in the root directory which is your website, then you have to create a folder called .acme-challenge in .well-known.

Step 3

In terminal, type sudo certbot certonly --webroot -w /var/www/html/master/public -d www.a-wei.tw

-w: You need to paste website path in here.
-d: Type your domain which can access your website.

Make sure Step 2 has been done because certbot will go to the root directory to certify your domain.

When It succeed to get the certificate, It'll give you a successful message and save serial files which include fullchain.pem and privkey.pem in /etc/letsencrypt/live/www.a-wei.tw

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/blog.gtwang.org/fullchain.pem. Your cert will
   expire on 2016-08-13. To obtain a new version of the certificate in
   the future, simply run Certbot again.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 4 

configure your Nginx. Below code is for SSL. If you didn't be able to start the server, you should first settle server.

server {
  # Listen port 443
  listen 443;

  # IPv6 443
  listen [::]:443;

  server_name www.a-wei.tw;

  root /var/www/html/master;
  
  index index.php index.html index.htm;

  # Enable SSL
  ssl on;

  # Set SSL certificate
  ssl_certificate /etc/letsencrypt/live/www.a-wei.tw/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.a-wei.tw/privkey.pem;

  # other SSL opsions
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566)
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_prefer_server_ciphers on;
}

 

Step 5 

Reload your Nginx if above steps are passed and test your website.

Using crontab to renew SSL certificate automatically

Because Let’s Encrypt SSL only gives you it for three months, you have to renew the SSL certificate.

Step 1

In the terminal, type certbot renew --dry-run , this means the bot will test to renew your SSL certificate. If it succeeds to get the certificate, it'll give you a successful message.

install-let’s-encrypt-ssl-create-ssl-certificates-settled-nginx-https

Step 2

Type crontab -e to edit task list, then add 30 2 * * 0 certbot renew >/dev/null 2>&1 into crontab. Finish.

Related Posts