As you might have heard, Let’s Encrypt organisation has released its public beta. However, this early version does not support yet the nginx plugin. Still, it works perfectly with a little workaround. In this article, I will explain how to install Let’s Encrypt, generate a certificate for multiple domains and apply it in the nginx configuration.
Let’s Encrypt installation
In order to install Let’s Encrypt, you need to have git installed.
user@webserver:~$ git clone https://github.com/letsencrypt/letsencrypt user@webserver:~$ cd letsencrypt user@webserver:~/letsencrypt$ ./letsencrypt-auto --help
In the following command, you will have to replace with your current email and domains to use certificate for. You will also notice that you will have to shut down your nginx server during the certificate generation. Also, we increase the RSA key size to 4096 bits since 2048 bits, the default value, is considered as weak.
Note that you might be prompted to accept the license user agreements if you run the command for the first time.
user@webserver:~/letsencrypt$ sudo service nginx stop user@webserver:~/letsencrypt$ ./letsencrypt-auto certonly --standalone --email firstname.lastname@example.org -d www.pandawan-technology.com -d blog.pandawan-technology.com --rsa-key-size 4096 user@webserver:~/letsencrypt$ sudo service nginx start
In the output, the certificate path should be displayed. If not, you should have a look at the
Generate Diffie-Hellman parameters
In order to ensure to have a strong connection, we need to generate DH parameters as follow. Note that this task is pretty long — 10-20 minutes.
user@webserver:~$ openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Activate SSL certificate in nginx
The final step is probably the hardest one, but remains pretty easy though ! Before proceeding, you should ask yourself a question. Would you rather :
- allow HTTP and HTTPS traffic ?
- allow only HTTPS traffic ?
In the first case, you will have to duplicate your vhost configuration adding the modifications provided below in the new one when you will only have to edit port 80 to 443 and add the following lines in the second case.
Note : don’t forget to replace the certificate and certificate’s key path with the correct one.
ssl on; ssl_certificate /etc/letsencrypt/live/www.pandawan-technology.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.pandawan-technology.com/privkey.pem; ssl_dhparam /etc/ssl/private/dhparams_4096.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The only steps remaining are configuration validation …
user@webserver:~/letsencrypt$ sudo service nginx configtest
… and restarting nginx if everything is fine
user@webserver:~/letsencrypt$ sudo service nginx restart
And voilà ! You have an up and running secured webserver in a couple of minutes !
To check if everything is working properly, you should get an A grade using SSL Labs testing tool.