How to Secure Nginx with Let's Encrypt on Ubuntu and Debian
Abstract: Install Let’s Encrypt SSL Certificate in Nginx 9. Now that your SSL Certificate has been generated is time to configure Nginx webserver to use it. The
Following the previous Let’s Encrypt tutorial regarding Apache SSL, in this article we’ll discuss how to generate and install a free SSL/TLS certificate issued by Let’s Encrypt CA for Nginx webserver on Ubuntu or Debian.
Also Read- Secure Apache with Free Let’s Encrypt on Ubuntu and Debian
- Install Let’s Encrypt SSL to Secure Apache on RHEL and CentOS
- A registered domain with valid DNS
A
records to point back to IP address of your server. - A installed Nginx web server with enabled SSL and Vhost, in case you planning to host multiple domains or subdomains.
1. On the first step install Nginx web server, if not installed already, by issuing the below command:
$ sudo apt-get install nginxInstall Nginx Web Server on Ubuntu 14.04 and Debian 8 Step 2: Generate a Let’s Encrypt SSL Certificate for Nginx
2. Before generating a free SSL/TLS certificate, install Let’s Encrypt software in /usr/local/
filesystem hierarchy with the help of git client by issuing the below commands:
$ sudo apt-get -y install git $ cd /usr/local/ $ sudo git clone https://github.com/letsencrypt/letsencrypt
3. Although the procedure of getting a Certificate for Nginx is automated, you can still manually create and install a free SSL certificate for Nginx using Let’s Encrypt Standalone plugin.
This method requires that port 80 must not be in use on your system for a short period of time while Let’s Encrypt client validates the server’s identity before generating the certificate.
In case you are running Nginx already, stop the service by issuing the following command.
$ sudo service nginx stop OR $ sudo systemctl stop nginx
In case you’re running other service that binds on port 80 stop that service as well.
4. Confirm that port 80 is free by running the netstat command:
$ sudo netstat -tlpn | grep 80Check Current Listening Ports in Linux
5. Now it’s time to run letsencrypt
in order to obtain a SSL Certificate. Go to Let’s Encrypt installation directory found in /usr/local/letsencrypt system path and run the letsencrypt-auto command by providing the certonly --standalone
option and -d
flag for each domain or subdomain you wish to generate a certificate.
$ cd /usr/local/letsencrypt $ sudo ./letsencrypt-auto certonly --standalone -d your_domain.tldObtain Let’s Encrypt SSL Certificate
6. Enter the email address which will be used by Let’s Encrypt for lost key recovery or urgent notices.
Enter Email Address7. Agree with the terms of the license by pressing Enter key.
Accept Letsencrypt Agreement8. Finally, if everything went successful, a message similar to the screenshot below should appear on your terminal console.
Letsencrypt Installation Finishes Step 3: Install Let’s Encrypt SSL Certificate in Nginx9. Now that your SSL Certificate has been generated is time to configure Nginx webserver to use it. The newly SSL certificates are placed in /etc/letsencrypt/live/
under a directory named after your domain name. Run ls command to list the Certificate files issued for your domain.
$ sudo ls /etc/letsencrypt/live/ $ sudo ls -al /etc/letsencrypt/live/caeszar.tkLetsencrypt SSL Certificates
10. Next, open /etc/nginx/sites-available/default
file with a text editor and add the following block after the first commented line that specifies the beginning of the SSL block. Use the below screenshot as guidance.
$ sudo nano /etc/nginx/sites-enabled/default
Nginx block excerpt:
# SSL configuration # listen 443 ssl default_server; ssl_certificate /etc/letsencrypt/live/caeszar.tk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/caeszar.tk/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_dhparam /etc/nginx/ssl/dhparams.pem;Configure Nginx to Use Let’s Encrypt SSL
Replace the domain name values for SSL certificates accordingly.
11. On the next step generate a strong Diffie-Hellman cipher in /etc/nginx/ssl/ directory in order to protect your server against the Logjam attack by running the following commands.
$ sudo mkdir /etc/nginx/ssl $ cd /etc/nginx/ssl $ sudo openssl dhparam -out dhparams.pem 2048Generate Diffie Hellman Cipher for Nginx
12. Finally, restart Nginx daemon to reflect changes.
$ sudo systemctl restart nginx
and test your SSL certificate by visiting the below URL.
https://www.ssllabs.com/ssltest/analyze.htmlCheck Nginx Lets Encrypt SSL Certificate Step 4: Auto Renew Let’s Encrypt Nginx Certificates
13. Certificates issued by Let’s Encrypt CA are valid for 90 days. In order to auto renew the files before expiration date create ssl-renew.sh
bash script in /usr/local/bin/
directory with the following content.
$ sudo nano /usr/local/bin/ssl-renew.sh
Add the following content to ssl-renew.sh
file.
#!/bin/bash cd /usr/local/letsencrypt sudo ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html/ -d your_domain.tld sudo systemctl reload nginx exit 0Auto Renew Nginx Lets Encrypt SSL Certificate
Replace the --webroot-path
variable to match your Nginx document root. Make sure the script is executable by issuing the following command.
$ sudo chmod +x /usr/local/bin/ssl-renew.sh
14. Finally add a cron job to run the script every two months at midnight in order to assure that your certificate will be updated in approximately 30 days before it expires.
$ sudo crontab -e
Add the following line at the bottom of the file.
0 1 1 */2 * /usr/local/bin/ssl-renew.sh >> /var/log/your_domain.tld-renew.log 2>&1Update Lets Encrypt SSL Certificates
That’s it! Your Nginx server is now serving SSL content using a free Let’s Encrypt SSL certificate.