Using Let's Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Using Let's Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Certbot in action

Hi, I'm just moving my notes from gitbook (legacy) to dev.to. I love it hear, it's markdown and it's quick. I hope you find this useful.

Installation

All you need is certbot

https://certbot.eff.org/all-instructions or https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html to be more specific on Ubuntu 18.04

This is the installation instructions

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

NOTE I didn't include python-certbot-apache because I like to do things on my own and I usually use Nginx.

For single domain

I'm assuming you are using normal config path for nginx which should be located at /etc/nginx/sites-enable

So, we will create a new file called /etc/nginx/sites-enable/letsencrypt.conf (you should create this in sites-available and symlink it to sites-enable)

Now, this should be the content of letsencrypt.conf

server {
  listen 80 default_server;
  server_name _;
  index index.html index.htm index.nginx-debian.html;
  root /var/www/html;
  location ^~ /.well-known/acme-challenge {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://$host$request_uri;
  }
}

This will make sure that all request on port 80 with location /.well-known/acme-challenge is served correctly.

Any other path should be redirected to 443

Now you need to setup your dns for the domain you want. It should be A tag and point to this server. Note, you should change www.example.com and x.x.x.x to your domain and server

www.example.com     A     x.x.x.x

It may take awhile or a second, depends on your luck. Just test this config on https://dnschecker.org/

Once dnschecker show the correct result you just need to run

sudo certbot certonly --webroot -w /var/www/html -d www.example.com

You should get chain and keys located here

/etc/letsencrypt/live/www.example.com/fullchain.pem
/etc/letsencrypt/live/www.example.com/privkey.pem

Example nginx config /etc/nginx/sites-enable/www.example.com.conf

server {
    ssl_prefer_server_ciphers on;

    # Add HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    client_max_body_size 20M;
    listen       443;
    server_name  www.example.com;
    root /home/ubuntu/your_app;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # you need to generate this if you want to use dhparam

    #prevent poodle
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

}

For wildcard

You need to run this command first (don't forget to change *.example.com to your domain)

sudo certbot certonly --manual -d *.example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

You will get instructions on how to setup. It will tell you to setup txt dns record. Once you complete setup your txt dns record, you should confirm with https://dnschecker.org/ before hitting enter.

If nothing is wrong, you should get wildcard ssl in this path if you are using *.example.com

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

You just have to setup nginx accordingly and it should be done.

I'm sure there are better ways than this but this is my old note. If anyone have better instructions, please let me know so I can share with other as well.