Skip to content

Instantly share code, notes, and snippets.

@risonsimon

risonsimon/Readme.md

Last active July 19, 2016 12:27
Show Gist options
  • Save risonsimon/02fc8bc7de596f2f3952 to your computer and use it in GitHub Desktop.
Save risonsimon/02fc8bc7de596f2f3952 to your computer and use it in GitHub Desktop.
Download ZIP
How to install letsencrypt on nginx - without stopping nginx
Raw
Readme.md

For latest check: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

  1. ssh into the server to install letsencrypt.
  2. Install the requirements.
sudo apt-get update
sudo apt-get -y install git bc
  1. Download letsencrypt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  1. Add the folowing to nginx server block listening to port 80.
    # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # webroot
        root         /var/www/letsencrypt;
    }
  
    # Hide /acme-challenge subdirectory and return 404 on all requests.
    # It is somewhat more secure than letting Nginx return 403.
    # Ending slash is important!
    location = /.well-known/acme-challenge/ {
        return 404;
    }
  1. Go to letsencrypt folder and the letsencrypt-auto command as shown below.
cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --email <YOUR_EMAIL> --agree-tos --renew-by-default    --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  1. Inside ssl server block in nginx listening on 443, add the following.
ssl_certificate /etc/letsencrypt/live/<DOMAIN_NAME>/fullchain.pem;		
ssl_certificate_key /etc/letsencrypt/live/<DOMAIN_NAME>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
  1. Restart nginx.
service nginx restart
  1. To setup letsencrypt autorenewel.
sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
sudo nano /usr/local/etc/le-renew-webroot.ini

Uncomment and update the following items.

  1. Use the following commands to create a renewel script and add it to crontab.
sudo curl -L -o /usr/local/sbin/le-renew-webroot https://gist.github.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
sudo chmod +x /usr/local/sbin/le-renew-webroot
sudo crontab -e

  1. Run /usr/local/sbin/le-renew-webroot to see if it is working.

  2. Add this entry to the crontab. It'll try to renew your ssl certificates every monday. If no renewel is necessary it adds how many days are remaining to the log.

30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
  1. You can check the status of validity in /var/log/le-renewal.log.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment