We will use apt based client tool to install the certificate. So, it is just easy. Previously, we have written about Let’s Encrypt Project. Here is Step by Step Commands to Use Free SSL by Let’s Encrypt Project. This is How to Install Let’s Encrypt on Ubuntu, Nginx for WordPress. You’ll get A+ on SSL Lab’s test with this method.
Read Before You are Going to Install Let’s Encrypt on Ubuntu, Nginx
For those who have an existing SSL certificate, they can use a subdomain to test or use the 301 redirected www subdomain. We are writing for Ubuntu 16.04 LTS, hence we will use apt-get install letsencrypt command to perform the works. There is separate thing – an agent software for Let’s Encrypt. Which is not present in case of paid SSL certificates. There are two modes for configuration. First is standalone, which replaces the web server to respond to ACME (Automatic Certificate Management Environment) challenges. Second is webroot. Where your web server to serve challenges from a known directory. Both of these are for when you do not want the certbot to edit your file. certbot is Let’s Encrypt client software. We are using webroot because it does not need replace Nginx bind to port 80 in order to renew certificates.
In this guide on how to install Let’s Encrypt on Ubuntu, Nginx; we are setting up abhishekghosh.pro to be served from /usr/share/nginx/html and challenges will be served from /usr/share/nginx/html/letsencrypt/. This is the official GitHub repo profile of Let’s Encrypt’s agent :
1 | https://github.com/certbot/certbot |
Here is Automatic Certificate Management Environment (ACME) specification :
1 | https://github.com/ietf-wg-acme/acme/ |
We often give examples with acme.com as domain. What is this acme? Read on acme.com. That ACME is a group since 1970s promoting UNIX freeware.
Steps of How to Install Let’s Encrypt on Ubuntu, Nginx
Advertisement
---
We are taking it granted that you have installed Nginx. Create a file for SSL configuration named /etc/nginx/snippets/ssl.conf with this content :
1 2 3 4 5 6 7 8 9 10 11 12 | ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; |
Now create a file named /etc/nginx/snippets/letsencrypt.conf with this content :
1 2 3 4 | location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html/letsencrypt/; } |
We said that challenges will be served from /usr/share/nginx/html/letsencrypt/ location. That is what will the above stuff will do. We need the directory. Create it :
1 | mkdir -p /usr/share/nginx/html/letsencrypt/.well-known/acme-challenge |
Your Nginx virtual host file equivalent is /etc/nginx/sites-enabled/default. Edit it :
1 2 3 4 5 6 7 8 9 10 11 12 13 | server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name abhishekghosh.pro www.abhishekghosh.pro; include /etc/nginx/snippets/letsencrypt.conf; root /usr/share/nginx/html; index index.html index.php; location / { try_files $uri $uri/ =404; } } |
The above is for HTTP, not HTTPS. Now install the client :
1 | sudo apt-get install letsencrypt |
Copy this command, edit it and run :
1 | letsencrypt certonly --webroot -w /usr/share/nginx/html/letsencrypt/ -d www.abhishekghosh.pro -d abhishekghosh.pro --email me@abhishekghosh.pro --agree-tos |
It will save the files in /etc/letsencrypt/live/www.abhishekghosh.pro/. cd to that directory and run :
1 2 | cd /etc/letsencrypt/live/www.abhishekghosh.pro/ openssl dhparam -out dhparam.pem 4096 |
Now, this is an example full /etc/nginx/sites-enabled/default configuration with default nginx locations and domain abhishekghosh.pro :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name abhishekghosh.pro www.abhishekghosh.pro; include /etc/nginx/snippets/letsencrypt.conf; location / { return 301 https://www.abhishekghosh.pro$request_uri; } } server { server_name www.abhishekghosh.pro; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server ipv6only=on; ssl_certificate /etc/letsencrypt/live/www.abhishekghosh.pro/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.abhishekghosh.pro/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.abhishekghosh.pro/fullchain.pem; ssl_dhparam /etc/letsencrypt/live/www.abhishekghosh.pro/dhparam.pem; include /etc/nginx/snippets/ssl.conf; root /usr/share/nginx/html; index index.html; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name abhishekghosh.pro; ssl_certificate /etc/letsencrypt/live/www.abhishekghosh.pro/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.abhishekghosh.pro/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/www.abhishekghosh.pro/fullchain.pem; ssl_dhparam /etc/letsencrypt/live/www.abhishekghosh.pro/dhparam.pem; include /etc/nginx/snippets/ssl.conf; location / { return 301 https://www.abhishekghosh.pro$request_uri; } } |
Run nginx config test :
1 | nginx -t |
Restart nginx :
1 | service nginx restart |
You can renew using the command letsencrypt renew. You can set a cron to run the command every 15 or 30 days.
Of course, you can print this and check mark the steps after doing, in case you are getting confused :
