Using Let’s Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)
Installation
All you need is certbot
https://certbot.eff.org/all-instructions
or
https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html
to be more specific on Ubuntu 18.04
This is the installation instructions
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
NOTE I didn’t include python-certbot-apache
because I like to do things on my own and I usually use Nginx.
For single domain
I’m assuming you are using normal config path for nginx which should be located at /etc/nginx/sites-enable
So, we will create a new file called /etc/nginx/sites-enable/letsencrypt.conf
(you should create this in sites-available and symlink it to sites-enable)
Now, this should be the content of letsencrypt.conf
server {
listen 80 default_server;
server_name _;
index index.html index.htm index.nginx-debian.html;
root /var/www/html;
location ^~ /.well-known/acme-challenge {
allow all;
default_type "text/plain";
}
location / {
return 301 https://$host$request_uri;
}
}
This will make sure that all request on port 80
with location /.well-known/acme-challenge
is served correctly.
Any other path should be redirected to 443
Now you need to setup your dns for the domain you want. It should be A tag and point to this server. Note, you should change www.example.com and x.x.x.x to your domain and server
www.example.com A x.x.x.x
It may take awhile or a second, depends on your luck. Just test this config on https://dnschecker.org/
Once dnschecker show the correct result you just need to run
sudo certbot certonly --webroot -w /var/www/html -d www.example.com
You should get chain and keys located here
/etc/letsencrypt/live/www.example.com/fullchain.pem
/etc/letsencrypt/live/www.example.com/privkey.pem
Generating dhparams
to use with ssl_dhparam config
sudo mkdir /etc/nginx/dhparams
sudo openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 2048
Example nginx config /etc/nginx/sites-enable/www.example.com.conf
server {
ssl_prefer_server_ciphers on;
# Add HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
client_max_body_size 20M;
listen 443;
server_name www.example.com;
root /home/ubuntu/your_app;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # you need to generate this if you want to use dhparam
#prevent poodle
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
For wildcard
You need to run this command first (don’t forget to change *.example.com to your domain)
sudo certbot certonly --manual -d *.example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
You will get instructions on how to setup. It will tell you to setup txt
dns record. Once you complete setup your txt
dns record, you should confirm with https://dnschecker.org/ before hitting enter.
If nothing is wrong, you should get wildcard ssl in this path if you are using *.example.com
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
You just have to setup nginx accordingly and it should be done.
I’m sure there are better ways than this but this is my old note.
If anyone have better instructions, please let me know so I can share with other as well.