Using Let’s Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Installation

All you need is certbot

https://certbot.eff.org/all-instructions
or
https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html
to be more specific on Ubuntu 18.04

This is the installation instructions

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

NOTE I didn’t include python-certbot-apache because I like to do things on my own and I usually use Nginx.

For single domain

I’m assuming you are using normal config path for nginx which should be located at /etc/nginx/sites-enable

So, we will create a new file called /etc/nginx/sites-enable/letsencrypt.conf (you should create this in sites-available and symlink it to sites-enable)

Now, this should be the content of letsencrypt.conf

server {
  listen 80 default_server;
  server_name _;
  index index.html index.htm index.nginx-debian.html;
  root /var/www/html;
  location ^~ /.well-known/acme-challenge {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://$host$request_uri;
  }
}

This will make sure that all request on port 80 with location /.well-known/acme-challenge is served correctly.

Any other path should be redirected to 443

Now you need to setup your dns for the domain you want. It should be A tag and point to this server. Note, you should change www.example.com and x.x.x.x to your domain and server

www.example.com     A     x.x.x.x

It may take awhile or a second, depends on your luck. Just test this config on https://dnschecker.org/

Once dnschecker show the correct result you just need to run

sudo certbot certonly --webroot -w /var/www/html -d www.example.com

You should get chain and keys located here

/etc/letsencrypt/live/www.example.com/fullchain.pem
/etc/letsencrypt/live/www.example.com/privkey.pem

Generating dhparams to use with ssl_dhparam config

sudo mkdir /etc/nginx/dhparams
sudo openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 2048

Example nginx config /etc/nginx/sites-enable/www.example.com.conf

server {
    ssl_prefer_server_ciphers on;

    # Add HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    client_max_body_size 20M;
    listen       443;
    server_name  www.example.com;
    root /home/ubuntu/your_app;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # you need to generate this if you want to use dhparam

    #prevent poodle
    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

}

For wildcard

You need to run this command first (don’t forget to change *.example.com to your domain)

sudo certbot certonly --manual -d *.example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

You will get instructions on how to setup. It will tell you to setup txt dns record. Once you complete setup your txt dns record, you should confirm with https://dnschecker.org/ before hitting enter.

If nothing is wrong, you should get wildcard ssl in this path if you are using *.example.com

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

You just have to setup nginx accordingly and it should be done.

I’m sure there are better ways than this but this is my old note.
If anyone have better instructions, please let me know so I can share with other as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED POST

How to automatically restart Linux services with Systemd

Getting your Linux deployments working reliably is of paramount concern for production applications. One way to guarantee that a service…

How to Install SFTPGo on Ubuntu 22.04

Setup UFW Firewall For security reasons, it is recommended to install and configure the UFW firewall in your system. First,…

Executing Bash Scripts at Startup in Ubuntu Linux

Creating a Bash script in Ubuntu To create a Bash script in Ubuntu, you can use any text editor of…

How To Clear PHP’s Opcache

PHP can be configured to store precompiled bytecode in shared memory, called Opcache. It prevents the loading and parsing of PHP…