-
-
Save Dhavalc2012/2f17a06663c7ca55a72a759b613e83c8 to your computer and use it in GitHub Desktop.
Revisions
-
cecilemuller renamed this gist
Apr 23, 2020 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
May 14, 2019 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -70,9 +70,11 @@ Expected results at this stage: Install Certbot for Nginx: sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python-certbot-nginx Setup the certificates & convert Virtual Hosts to HTTPS: -
Jun 20, 2018 . 1 changed file with 6 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,4 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SLL rating) ------------------------------------------------------------------------------- @@ -46,10 +45,12 @@ Note that **only the first domain** has the keywords `default_server` and `ipv6o Replace the default virtual host: sudo rm /etc/nginx/sites-enabled/default sudo ln -s /etc/nginx/sites-available/first.conf /etc/nginx/sites-enabled/first.conf sudo ln -s /etc/nginx/sites-available/second.conf /etc/nginx/sites-enabled/second.conf sudo nginx -t sudo systemctl stop nginx sudo systemctl start nginx Check that Nginx is running: @@ -228,7 +229,8 @@ it should now be rated `A+`, congratulations! 🙂 ## Conclusion You could further improve using content-specific features like `Content Security Policy` and `Subresource Integrity`, and [Brotli compression](https://caniuse.com/#feat=brotli) to replace *gzip*. Online testing tools: - [Mozilla Observatory](https://observatory.mozilla.org/) -
Jun 16, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SSL rating) ------------------------------------------------------------------------------- -
Jun 16, 2018 . 1 changed file with 1 addition and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -150,8 +150,7 @@ You can also [check what certificates exist](https://certbot.eff.org/docs/using. return 404; # managed by Certbot } Certbot didn't add HTTP/2 support when it created the new server blocks, so replace these lines: listen [::]:443 ssl ipv6only=on; listen 443 ssl; -
Jun 16, 2018 . 2 changed files with 246 additions and 228 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,228 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,246 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SLL rating) ------------------------------------------------------------------------------- ## Virtual hosts Let's say you want to host domains `first.com` and `second.com`. Create folders for their files: mkdir /var/www/first mkdir /var/www/second Create a text file `/etc/nginx/sites-available/first.conf` containing: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name first.com www.first.com; root /var/www/first; index index.html; location / { try_files $uri $uri/ =404; } } Create a text file `/etc/nginx/sites-available/second.conf` containing: server { listen 80; listen [::]:80; server_name second.com www.second.com; root /var/www/second; index index.html; location / { try_files $uri $uri/ =404; } } Note that **only the first domain** has the keywords `default_server` and `ipv6only=on` in the `listen` lines. Replace the default virtual host: sudo systemctl stop nginx sudo rm /etc/nginx/sites-enabled/default sudo ln -s /etc/nginx/sites-available/first.conf /etc/nginx/sites-enabled/first.conf sudo ln -s /etc/nginx/sites-available/second.conf /etc/nginx/sites-enabled/second.conf sudo systemctl start nginx Check that Nginx is running: sudo systemctl status nginx Expected results at this stage: - `http://first.com` and `http://www.first.com` serve the files from `/var/www/first` - `http://second.com` and `http://www.second.com` serve the files from `/var/www/second` - `https://www.first.com` and `https://www.second.com` don't work yet ------------------------------------------------------------------------------- ## Certbot Install Certbot for Nginx: sudo apt-get update sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install -y python-certbot-nginx Setup the certificates & convert Virtual Hosts to HTTPS: sudo certbot --nginx It will ask for: - an email address - agreeing to its Terms of Service - which domains to use HTTPS for (it detects the list using `server_name` lines in your Nginx config) - whether to redirect HTTP to HTTPS (recommended) or not **You could stop here if all you want is HTTPS** as this already gives you an `A` rating and maintains itself. Test your site with SSL Labs using `https://www.ssllabs.com/ssltest/analyze.html?d=www.YOUR-DOMAIN.com` Expected results at this stage: - `http://first.com` redirects to `https://first.com` - `http://second.com` redirects to `https://second.com` - `http://www.first.com` redirects to `https://www.first.com` - `http://www.second.com` redirects to `https://www.second.com` - `https://first.com` and `https://www.first.com` serve the files from `/var/www/first` - `https://second.com` and `https://www.first.com`serve the files from `/var/www/second` ------------------------------------------------------------------------------- ## Automatic renewal **There is nothing to do**, Certbot installed a cron task to automatically renew certificates about to expire. You can [check renewal works](https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates) using: sudo certbot renew --dry-run You can also [check what certificates exist](https://certbot.eff.org/docs/using.html#managing-certificates) using: sudo certbot certificates ------------------------------------------------------------------------------- ## HTTP/2 `first.conf` should now look something like this, now that Certbot edited it: server { server_name first.com www.first.com; root /var/www/first.com; index index.html; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/first.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/first.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.first.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = first.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 default_server; listen [::]:80 default_server; server_name first.com www.first.com; return 404; # managed by Certbot } Certbot didn't add HTTP/2 support when it created the new server blocks, so replace these lines in `first.conf` and `second.conf`: listen [::]:443 ssl ipv6only=on; listen 443 ssl; by this: listen [::]:443 ssl http2 ipv6only=on; listen 443 ssl http2; gzip off; There is [already an open Github issue](https://github.com/certbot/certbot/issues/3646) requesting Certbot to add `http2` automatically, so hopefully this step can soon be removed. ------------------------------------------------------------------------------- ## Stronger settings for A+ ### Trusted certificate The HTTPS `server` blocks in `first.conf` and `second.conf` contain these lines, added by Certbot: ssl_certificate /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem; The stronger settings use **OCSP Stapling**, so each virtual host will need a `ssl_trusted_certificate` as well. **Add this line** (using the folder name that Certbot generated for your domain) after the `ssl_certificate_key` line: ssl_trusted_certificate /etc/letsencrypt/live/YOUR-DOMAIN/chain.pem; --- ### SSL Now let's **edit the shared SSL settings** at `/etc/letsencrypt/options-ssl-nginx.conf`. It most likely looks like this initially: ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1440m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; If you tested with SSL Labs, you probably noticed that quite a few ciphers were flagged as "weak". So **replace the contents of the file** with: ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;"; add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';"; add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; Now **restart Nginx**, and test the domain again with SSL Labs using `https://www.ssllabs.com/ssltest/analyze.html?d=www.YOUR-DOMAIN.com&latest`: it should now be rated `A+`, congratulations! 🙂 ------------------------------------------------------------------------------- ## Conclusion You could further improve using content-specific features like `Content Security Policy` and `Subresource Integrity`. Online testing tools: - [Mozilla Observatory](https://observatory.mozilla.org/) - [SSL Labs](https://www.ssllabs.com/ssltest/) - [Security Headers](https://securityheaders.com) Useful links: - [Subresource Integrity](https://developer.mozilla.org/fr/docs/Web/Security/Subresource_Integrity) - [Content Security Policy](https://developer.mozilla.org/fr/Add-ons/WebExtensions/Content_Security_Policy) - [Mozilla Security Guidelines](https://wiki.mozilla.org/Security/Guidelines/Web_Security) - [Certbot documentation](https://certbot.eff.org/docs/) If **Let's Encrypt is useful to you**, consider [donating to Let's Encrypt](https://letsencrypt.org/donate/) or [donating to the EFF](https://supporters.eff.org/donate/). -
Jul 22, 2017 . 1 changed file with 35 additions and 15 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -112,11 +112,24 @@ Note: The flag `--no-eff-email` opts out of signing up for the [EFF mailing list Now that you have a certificate for the domain, switch to HTTPS by editing the file `/etc/nginx/sites-available/mydomain.conf` and replacing contents with: ## http://mydomain.com redirects to https://mydomain.com server { listen 80; listen [::]:80; server_name mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; location / { return 301 https://mydomain.com$request_uri; } } ## http://www.mydomain.com redirects to https://www.mydomain.com server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; @@ -125,45 +138,48 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f } } ## https://mydomain.com redirects to https://www.mydomain.com server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name mydomain.com; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; location / { return 301 https://www.mydomain.com$request_uri; } } ## Serves https://www.mydomain.com server { server_name www.mydomain.com; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server ipv6only=on; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; root /var/www/mydomain; index index.html; location / { try_files $uri $uri/ =404; } } Then reload Nginx: sudo systemctl reload nginx Note that `http://mydomain.com` redirects to `https://mydomain.com` (which redirects to `https://www.mydomain.com`) because redirecting to `https://www.mydomain.com` directly would be incompatible with HSTS. --- @@ -205,4 +221,8 @@ You can now also test that your domain has A+ SLL rating: - https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com - https://www.ssllabs.com/ssltest/analyze.html?d=www.mydomain.com I would also recommend setting up content-specific features like `Content Security Policy` and `Subresource Integrity`: - [Mozilla Observatory](https://observatory.mozilla.org): submit a domain to get content-specific advices - [Mozilla Security Guidelines](https://wiki.mozilla.org/Security/Guidelines/Web_Security) If Let's Encrypt is useful to you, consider [donating to Let's Encrypt](https://letsencrypt.org/donate/) or [donating to the EFF](https://supporters.eff.org/donate/). -
Jun 2, 2017 . 1 changed file with 69 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,18 +1,20 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 16.04 (including IPv6, HTTP/2 and A+ SLL rating) There are two main modes to run the Let's Encrypt client (called `Certbot`): - [Standalone](https://certbot.eff.org/docs/using.html#standalone): replaces the webserver to respond to ACME challenges - [Webroot](https://certbot.eff.org/docs/using.html#webroot): needs your webserver to serve challenges from a known folder. **Webroot is better** because it doesn't need to replace Nginx (to bind to port 80). In the following, we're setting up `mydomain.com`. HTML is served from `/var/www/mydomain`, and challenges are served from `/var/www/letsencrypt`. ------------------------------------------------------------------------------- ## Nginx snippets First we create two snippets (to avoid duplicating code in every virtual host configuration). Create a file `/etc/nginx/snippets/letsencrypt.conf` containing: @@ -40,12 +42,16 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; Create the folder for the challenges: sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge ------------------------------------------------------------------------------- ## Nginx virtual hosts (HTTP-only) We don't have a certificate yet at this point, so the domain will be served only as HTTP. Create a file `/etc/nginx/sites-available/mydomain.conf` containing: @@ -73,38 +79,45 @@ And reload Nginx: sudo systemctl reload nginx ------------------------------------------------------------------------------- ## Certbot Install the package: sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot Note: there is also a `letsencrypt` package in APT, but it's a much older version of the client. ------------------------------------------------------------------------------- ## Get the certificate Request the certificate (don't forget to replace with your own email address): certbot certonly --webroot --agree-tos --no-eff-email --email [email protected] -w /var/www/letsencrypt -d www.domain.com -d domain.com It will save the files in `/etc/letsencrypt/live/www.mydomain.com/`. Note: The flag `--no-eff-email` opts out of signing up for the [EFF mailing list](https://lists.eff.org/cgi-bin/mailman/listinfo), remove the flag if you'd like to signup. ---- ## Nginx virtual hosts (HTTPS-only) Now that you have a certificate for the domain, switch to HTTPS by editing the file `/etc/nginx/sites-available/mydomain.conf` and replacing contents with: ## http://mydomain.com and http://www.mydomain.com redirect to https://www.mydomain.com server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name mydomain.com www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; location / { @@ -113,24 +126,25 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f } ## Serves https://www.mydomain.com server { server_name www.mydomain.com; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server ipv6only=on; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; root /var/www/mydomain; index index.html; location / { try_files $uri $uri/ =404; } } ## https://mydomain.com redirects to https://www.mydomain.com server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -150,17 +164,45 @@ Then reload Nginx: sudo systemctl reload nginx --- ## Automatic renewal using Cron Certbot can renew all certificates that expire within 30 days, so let's make a cron for it. You can test it has the right config by launching a dry run: certbot renew --dry-run Create a file `/root/letsencrypt.sh`: #!/bin/bash systemctl reload nginx # If you have other services that use the certificates: # systemctl restart mosquitto Make it executable: chmod +x /root/letsencrypt.sh Edit cron: sudo crontab -e And add the line: 20 3 * * * certbot renew --noninteractive --renew-hook /root/letsencrypt.sh ---- ## Conclusion Congratulations, you should now be able to see your website at `https://www.mydomain.com` 🙂 You can now also test that your domain has A+ SLL rating: - https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com - https://www.ssllabs.com/ssltest/analyze.html?d=www.mydomain.com If Let's Encrypt is useful to you, consider [donating to Let's Encrypt](https://letsencrypt.org/donate/) or [donating to the EFF](https://supporters.eff.org/donate/). -
Aug 10, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -163,4 +163,4 @@ You can test now also test that your domain has A+ SLL rating: You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to letsencrypt](https://letsencrypt.org/donate/) or [donating to the EFF](https://supporters.eff.org/donate/). -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,8 +31,8 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; -
May 16, 2016 . 1 changed file with 6 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,20 +28,18 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ---- @@ -89,10 +87,6 @@ Create a folder for the challenges: sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge And finally, get a certificate (don't forget to replace with your own email address): letsencrypt certonly --webroot -w /var/www/letsencrypt -d www.domain.com -d domain.com --email [email protected] --agree-tos -
May 16, 2016 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,12 +31,15 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_dhparam /etc/ssl/private/dhparams_2048.pem; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_stapling on; ssl_stapling_verify on; The SSL config is based on Mozilla's [Modern profile](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.9.5&openssl=1.0.1e&hsts=yes&profile=modern): oldest compatible clients are Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -166,4 +166,4 @@ You can test now also test that your domain has A+ SLL rating: You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to letsencrypt](https://letsencrypt.org/donate/). -
May 16, 2016 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,6 +62,11 @@ Create a file `/etc/nginx/sites-available/mydomain.conf` containing: } } Enable the site: rm /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf And reload Nginx: sudo systemctl reload nginx @@ -144,11 +149,6 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f } } Then reload Nginx: sudo systemctl reload nginx -
May 16, 2016 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -143,7 +143,12 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f return 301 https://www.mydomain.com$request_uri; } } Enable the site: rm /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf Then reload Nginx: sudo systemctl reload nginx -
May 16, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,8 @@ There are two modes when you don't want Certbot to edit your configuration: **Webroot is better** because it doesn't need to replace Nginx (to bind to port 80) to renew certificates. In the following, we're setting up `mydomain.com` to be served from `/var/www/mydomain`, and challenges will be served from `/var/www/letsencrypt`. ---- ## Nginx snippets -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ There are two modes when you don't want Certbot to edit your configuration: - [Standalone](https://certbot.eff.org/docs/using.html#standalone): replaces the webserver to respond to ACME challenges - [Webroot](https://certbot.eff.org/docs/using.html#webroot): needs your webserver to serve challenges from a known folder. **Webroot is better** because it doesn't need to replace Nginx (to bind to port 80) to renew certificates. ---- -
May 16, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,162 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 16.04 (including IPv6, HTTP/2 and A+ SLL rating) There are two modes when you don't want Certbot to edit your configuration: - [Standalone](https://certbot.eff.org/docs/using.html#standalone): replaces the webserver to respond to ACME challenges - [Webroot](https://certbot.eff.org/docs/using.html#webroot): needs your webserver to serve challenges from a known folder. **Webroot is better** because it doesn't require stopping Nginx to renew certificates. ---- ## Nginx snippets First we create two snippets to avoid duplicating code in every virtual host configuration. Create a file `/etc/nginx/snippets/letsencrypt.conf` containing: location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/letsencrypt; } Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_dhparam /etc/ssl/private/dhparams_2048.pem; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; The SSL config is based on Mozilla's [Modern profile](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.9.5&openssl=1.0.1e&hsts=yes&profile=modern): oldest compatible clients are Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. ---- ## Nginx virtual hosts (HTTP-only) We don't have a certificate yet at this point, so the domain is served only as HTTP. Create a file `/etc/nginx/sites-available/mydomain.conf` containing: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name mydomain.com www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; root /var/www/mydomain; index index.html; location / { try_files $uri $uri/ =404; } } And reload Nginx: sudo systemctl reload nginx Note the line `include /etc/nginx/snippets/letsencrypt.conf;` that makes Nginx serve challenges for both `http://www.mydomain.com/.well-known/acme-challenge/` and `http://mydomain.com/.well-known/acme-challenge/`. ---- ## Let's Encrypt client Install the client: sudo apt-get install letsencrypt Create a folder for the challenges: sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge Generate a Diffie-Hellman parameter for DHE ciphersuites: sudo openssl dhparam -out /etc/ssl/private/dhparams_2048.pem 2048 And finally, get a certificate (don't forget to replace with your own email address): letsencrypt certonly --webroot -w /var/www/letsencrypt -d www.domain.com -d domain.com --email [email protected] --agree-tos It will save the files in `/etc/letsencrypt/live/www.mydomain.com/`. ---- ## Nginx virtual hosts (HTTPS-only) Now that you have a certificate for the domain, switch to HTTPS by editing the file `/etc/nginx/sites-available/mydomain.conf` and replacing contents with: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name mydomain.com www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; location / { return 301 https://www.mydomain.com$request_uri; } } server { server_name www.mydomain.com; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server ipv6only=on; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; root /var/www/mydomain.com; index index.html; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name mydomain.com; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; location / { return 301 https://www.mydomain.com$request_uri; } } Then reload Nginx: sudo systemctl reload nginx ---- ## Conclusion You should now be able to see your website at `https://www.mydomain.com`. Congratulations :smiley: You can test now also test that your domain has A+ SLL rating: - https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com - https://www.ssllabs.com/ssltest/analyze.html?d=www.mydomain.com You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to the EFF](https://supporters.eff.org/donate/).