let's encrypt

Generate and install a SSL certificate with Let’s Encrypt on nginx

As you might have heard, Let’s Encrypt organisation has released its public beta. However, this early version does not support yet the nginx plugin. Still, it works perfectly with a little workaround. In this article, I will explain how to install Let’s Encrypt, generate a certificate for multiple domains and apply it in the nginx configuration.

Let’s Encrypt installation

In order to install Let’s Encrypt, you need to have git installed.

user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt
user@webserver:~$ cd letsencrypt
user@webserver:~/letsencrypt$ ./letsencrypt-auto --help

Generate certificates

In the following command, you will have to replace with your current email and domains to use certificate for. You will also notice that you will have to shut down your nginx server during the certificate generation. Also, we increase the RSA key size to 4096 bits since 2048 bits, the default value, is considered as weak.

Note that you might be prompted to accept the license user agreements if you run the command for the first time.

user@webserver:~/letsencrypt$ sudo service nginx stop
user@webserver:~/letsencrypt$ ./letsencrypt-auto certonly --standalone --email my-address@provider.com -d www.pandawan-technology.com -d blog.pandawan-technology.com --rsa-key-size 4096
user@webserver:~/letsencrypt$ sudo service nginx start

In the output, the certificate path should be displayed. If not, you should have a look at the /etc/letsencrypt/live/ directory.

Generate Diffie-Hellman parameters

In order to ensure to have a strong connection, we need to generate DH parameters as follow. Note that this task is pretty long — 10-20 minutes.

user@webserver:~$ openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096

Activate SSL certificate in nginx

The final step is probably the hardest one, but remains pretty easy though ! Before proceeding, you should ask yourself a question. Would you rather :

  1. allow HTTP and HTTPS traffic ?
  2. allow only HTTPS traffic ?

In the first case, you will have to duplicate your vhost configuration adding the modifications provided below in the new one when you will only have to edit port 80 to 443 and add the following lines in the second case.

Note : don’t forget to replace the certificate and certificate’s key path with the correct one.

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.pandawan-technology.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.pandawan-technology.com/privkey.pem;
    ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

The only steps remaining are configuration validation …

user@webserver:~/letsencrypt$ sudo service nginx configtest

… and restarting nginx if everything is fine

user@webserver:~/letsencrypt$ sudo service nginx restart

And voilà ! You have an up and running secured webserver in a couple of minutes !

To check if everything is working properly, you should get an A grade using SSL Labs testing tool.

Related links

Leave a Reply

Your email address will not be published. Required fields are marked *