Created
April 7, 2017 12:49
-
-
Save nerdalertdk/09afc23edade6702b45fd9a4019cc493 to your computer and use it in GitHub Desktop.
Revisions
-
cecilemuller revised this gist
Aug 10, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -163,4 +163,4 @@ You can test now also test that your domain has A+ SLL rating: You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to letsencrypt](https://letsencrypt.org/donate/) or [donating to the EFF](https://supporters.eff.org/donate/). -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,8 +31,8 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; -
May 16, 2016 . 1 changed file with 6 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,20 +28,18 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ---- @@ -89,10 +87,6 @@ Create a folder for the challenges: sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge And finally, get a certificate (don't forget to replace with your own email address): letsencrypt certonly --webroot -w /var/www/letsencrypt -d www.domain.com -d domain.com --email [email protected] --agree-tos -
May 16, 2016 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,12 +31,15 @@ Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_dhparam /etc/ssl/private/dhparams_2048.pem; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_stapling on; ssl_stapling_verify on; The SSL config is based on Mozilla's [Modern profile](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.9.5&openssl=1.0.1e&hsts=yes&profile=modern): oldest compatible clients are Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -166,4 +166,4 @@ You can test now also test that your domain has A+ SLL rating: You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to letsencrypt](https://letsencrypt.org/donate/). -
May 16, 2016 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,6 +62,11 @@ Create a file `/etc/nginx/sites-available/mydomain.conf` containing: } } Enable the site: rm /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf And reload Nginx: sudo systemctl reload nginx @@ -144,11 +149,6 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f } } Then reload Nginx: sudo systemctl reload nginx -
May 16, 2016 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -143,7 +143,12 @@ Now that you have a certificate for the domain, switch to HTTPS by editing the f return 301 https://www.mydomain.com$request_uri; } } Enable the site: rm /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf Then reload Nginx: sudo systemctl reload nginx -
May 16, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,8 @@ There are two modes when you don't want Certbot to edit your configuration: **Webroot is better** because it doesn't need to replace Nginx (to bind to port 80) to renew certificates. In the following, we're setting up `mydomain.com` to be served from `/var/www/mydomain`, and challenges will be served from `/var/www/letsencrypt`. ---- ## Nginx snippets -
May 16, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ There are two modes when you don't want Certbot to edit your configuration: - [Standalone](https://certbot.eff.org/docs/using.html#standalone): replaces the webserver to respond to ACME challenges - [Webroot](https://certbot.eff.org/docs/using.html#webroot): needs your webserver to serve challenges from a known folder. **Webroot is better** because it doesn't need to replace Nginx (to bind to port 80) to renew certificates. ---- -
May 16, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,162 @@ # How to setup Let's Encrypt for Nginx on Ubuntu 16.04 (including IPv6, HTTP/2 and A+ SLL rating) There are two modes when you don't want Certbot to edit your configuration: - [Standalone](https://certbot.eff.org/docs/using.html#standalone): replaces the webserver to respond to ACME challenges - [Webroot](https://certbot.eff.org/docs/using.html#webroot): needs your webserver to serve challenges from a known folder. **Webroot is better** because it doesn't require stopping Nginx to renew certificates. ---- ## Nginx snippets First we create two snippets to avoid duplicating code in every virtual host configuration. Create a file `/etc/nginx/snippets/letsencrypt.conf` containing: location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/letsencrypt; } Create a file `/etc/nginx/snippets/ssl.conf` containing: ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_dhparam /etc/ssl/private/dhparams_2048.pem; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; The SSL config is based on Mozilla's [Modern profile](https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.9.5&openssl=1.0.1e&hsts=yes&profile=modern): oldest compatible clients are Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. ---- ## Nginx virtual hosts (HTTP-only) We don't have a certificate yet at this point, so the domain is served only as HTTP. Create a file `/etc/nginx/sites-available/mydomain.conf` containing: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name mydomain.com www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; root /var/www/mydomain; index index.html; location / { try_files $uri $uri/ =404; } } And reload Nginx: sudo systemctl reload nginx Note the line `include /etc/nginx/snippets/letsencrypt.conf;` that makes Nginx serve challenges for both `http://www.mydomain.com/.well-known/acme-challenge/` and `http://mydomain.com/.well-known/acme-challenge/`. ---- ## Let's Encrypt client Install the client: sudo apt-get install letsencrypt Create a folder for the challenges: sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge Generate a Diffie-Hellman parameter for DHE ciphersuites: sudo openssl dhparam -out /etc/ssl/private/dhparams_2048.pem 2048 And finally, get a certificate (don't forget to replace with your own email address): letsencrypt certonly --webroot -w /var/www/letsencrypt -d www.domain.com -d domain.com --email [email protected] --agree-tos It will save the files in `/etc/letsencrypt/live/www.mydomain.com/`. ---- ## Nginx virtual hosts (HTTPS-only) Now that you have a certificate for the domain, switch to HTTPS by editing the file `/etc/nginx/sites-available/mydomain.conf` and replacing contents with: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name mydomain.com www.mydomain.com; include /etc/nginx/snippets/letsencrypt.conf; location / { return 301 https://www.mydomain.com$request_uri; } } server { server_name www.mydomain.com; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server ipv6only=on; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; root /var/www/mydomain.com; index index.html; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name mydomain.com; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; location / { return 301 https://www.mydomain.com$request_uri; } } Then reload Nginx: sudo systemctl reload nginx ---- ## Conclusion You should now be able to see your website at `https://www.mydomain.com`. Congratulations :smiley: You can test now also test that your domain has A+ SLL rating: - https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com - https://www.ssllabs.com/ssltest/analyze.html?d=www.mydomain.com You can renew using `letsencrypt renew`: when called it will attempt to renew certificates expiring in less than 30 days, so you can put this command in cron to renew automatically. If letsencrypt is useful to you, consider [donating to the EFF](https://supporters.eff.org/donate/).