• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

By Abhishek Ghosh September 7, 2016 1:29 am Updated on December 22, 2016

Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

Advertisement

Some of the readers of this website asked for a guide on Let’s Encrypt on Ubuntu 16.04. Here Are Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx With HSTS, ALPN on HTTP/2, OCSP Stapling, Public Key Pinning (HPKP), Cipher. Needless to say – Let’s Encrypt is free SSL certificate. You need not to read guides on the same various web hosts. They have wrongs and some stuffs are copy-pasted from professional blogs. You will get A+ on SSL Labs with 100 on certificate, 90 on protocol support, 85 on key exchange and 85 on cipher strength.

This article has been old!

We strongly recommend to only read this guide as there are many important hyperlinks on topics which you may need to know. After reading this guide, follow our latest guide on how to install certbot on Ubuntu 16.04.

 

We are showing old method because Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. Official documentation is here :

Vim
1
https://certbot.eff.org/#ubuntuxenial-nginx

Otherwise we can make it more easy with one command.
Easy Steps To Setup Lets Encrypt on Ubuntu 16-04-Nginx

Advertisement

---

 

Prerequisite Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx and Follow This Guide

 

You need Ubuntu 16.04 LTS and Nginx-Extras from Ubuntu’s Repo. ALPN support on HTTP/2 needs newest version of OpenSSL. If you have a blank Ubuntu 16.04 LTS server, simply run :

Vim
1
2
3
apt update
apt upgrade
apt install nginx-extras

Make sure that you have pointed the domain name via DNS and you can see your website’s default webpage on browser. If you do not have domain, you can read this list of free domain names. Use Hurricane Electric DNS to point. You need one email. Now open the default file :

Vim
1
nano /etc/nginx/sites-available/default

Add this :

Vim
1
2
3
        location ~ /.well-known {
                allow all;
        }

Run :

Vim
1
nginx -t

if successful then :

Vim
1
service nginx restart

 

Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

 

We will keep all file names as default path and file names. We are using our domain abhishekghosh.pro in this example. You must change abhishekghosh.pro to your domain name while running the commands. Default root of Nginx is /var/www/html for this Ubuntu 16.04. Change the root path if needed.

Let us run the commands :

Vim
1
2
apt update
apt install git

As we informed before, we will use the new from repo as Ubuntu repo has old stuff. So we are cloning from https://github.com/letsencrypt/letsencrypt to the directory /opt/letsencrypt. Technically we should clone from https://github.com/certbot/certbot to the directory /opt/certbot. That is not done as you may install Ubuntu package later and name will get confusing plus we will release updated new guide to cover all (you are kept older sounding, but on new!). We will copy all files to /opt/letsencrypt. You should not delete this directory later. Now we will clone the Let’s Encrypt repo :

Vim
1
2
git clone https://github.com/letsencrypt/letsencrypt
cd /opt/letsencrypt

Keep it in mind – you will run this command on this directory every 15 days or so to get the latest update :

Vim
1
2
cd /opt/letsencrypt
sudo git pull

Now we are running command for :

suggested
Vim
1
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro

I ran only for the domain abhishekghosh.pro. If I need to add www.abhishekghosh.pro then I can combine that in this way :

Vim
1
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro -d www.abhishekghosh.pro -d www.abhishekghosh.pro

Obviously I can run only for www later :

suggested for www
Vim
1
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro -d www.abhishekghosh.pro

Run the first command (or the third one if www one is your main domain) as with one domain it is easy to troubleshoot. You need real root for all the subdomains. Virtual hosts or cname should be set rightly.

Remember – letsencrypt is old name, it is certbot since May 2016.

After running the command, a wizard will start to prompt, you’ll need to enter an email address that will be used for notices and lost key recovery, you must agree to the Let’s Encrypt Subscribe Agreement. Simple. After these steps you’ll get this output :

Vim
1
2
3
4
5
6
7
8
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem. Your cert
   will expire on 2016-12-05. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
...

At the location /etc/letsencrypt/live/abhishekghosh.pro, we have everything. Let us go there :

Vim
1
2
cd /etc/letsencrypt/live/abhishekghosh.pro
ls -al

/etc/letsencrypt/live/abhishekghosh.pro is symlinked to /etc/letsencrypt/archive. We will generate Diffie-Hellman key (the command will take time to end) :

Vim
1
sudo openssl dhparam -out dhparam.pem 2048

We will wget this certificate for OSCP stapling :

Vim
1
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

check the files :

Vim
1
ls -al

Now, first create a backup.

Vim
1
2
cd /etc/letsencrypt/live/abhishekghosh.pro
tar -cvzf abhishekghosh-pro-certs-Sept-2016.tar.gz *

Change the name abhishekghosh-pro-certs-Sept-2016 to your name and date. again do ls -al, you’ll see the tar ball. First download it via FTP on your computer. We used do it religiously for paid SSL certificates. In some wrong, if all get deleted, site will remain down.

This is the right configuration :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
       ssl on;
       access_log off;
       ssl_certificate /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/abhishekghosh.pro/privkey.pem;
       ssl_dhparam /etc/letsencrypt/live/abhishekghosh.pro/dhparam.pem;
       ssl_stapling on;
       ssl_stapling_verify off;
       ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org;
       resolver 8.8.8.8 8.8.4.4 valid=300s;
       resolver_timeout 30s;
       ssl_trusted_certificate /etc/letsencrypt/live/abhishekghosh.pro/lets-encrypt-x3-cross-signed.pem;
       ssl_ecdh_curve prime256v1;
       ssl_session_cache shared:NginxCache123:20m;
       ssl_session_timeout 4h;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
       ssl_prefer_server_ciphers on;
       add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
       #add_header Public-Key-Pins 'pin-sha256=" "; pin-sha256=" "; report-uri=" "; max-age=5184000; includeSubDomains';
       #add_header 'Content-Security-Policy-Report-Only' 'default-src self https:; report-uri ';

ssl_stapling_verify off is for protecting from error. add_header Public-Key-Pins is commented out because you should read Public-Key-Pins and Public-Key-Pins Reporting guide for their setup. You will do it later. Content-Security-Policy-Report-Only is commented out because you need to read Content-Security-Policy and Content-Security-Policy-Report-Only matters. You can do these two points later.

Your normal virtual hosts file is /etc/nginx/sites-available/default. You have stuffs like :

Vim
1
2
3
4
5
6
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name abhishekghosh.pro;
...
}

You will make the copy of the whole stanza and paste at the bottom. You’ll edit to make the second pasted entry’s port as :

Vim
1
2
3
4
5
6
server {
    listen 443 default_server;
    listen [::]:443 default_server;
    server_name abhishekghosh.pro;
...
}

Then add the directives (check Nginx official documentation for where to paste it). You need to add a 301 redirection :

Vim
1
2
3
4
5
6
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://abhishekghosh.pro$request_uri;
...
}

Run :

Vim
1
nginx -t

if successful then :

Vim
1
service nginx restart

If everything is fine then go to SSL Labs and test your result. After doing the above two, you’ll get correct, optimized settings.

By the way, you need to work to get listed on HTTPS Everywhere. Otherwise HSTS actually not work.
You can see our site on SSL Labs :

Vim
1
https://www.ssllabs.com/ssltest/analyze.html?d=abhishekghosh.pro

 

Problems With Let’s Encrypt Renewal on Ubuntu 16.04, Nginx

 

If you visit the official git :

Vim
1
https://github.com/certbot/certbot

They clearly written that letsencrypt is old name, it is certbot since May 2016. There are guides which are not updated. You can test renew with dry run :

Vim
1
/opt/letsencrypt/letsencrypt-auto renew --dry-run

You can try renew :

Vim
1
/opt/letsencrypt/letsencrypt-auto renew

In case you face trouble, visit :

Vim
1
https://community.letsencrypt.org

Tagged With https://thecustomizewindows com/2016/09/easy-steps-setup-lets-encrypt-ubuntu-16-04-nginx/ , Diffie–Hellman (D-H) key exchange , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1831 zEO9mli6tu-U_ZcQ5cqc5B1gKU7dcqknb8dp3qCMciM2OJpKC_6XxP1XWU3SQmpl 8fc6e57c395eb51a85632f8abd6d8b1cd50dff2c&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , lets encrypt how to change tls-alpn nginx , lets encrypt nginx django ubuntu 16 04 , lets encrypt on ubuntu 16 04 , letsencrypt ocsp

This Article Has Been Shared 450 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

  • Google Cloud Storage – Benefits

    Google Cloud Storage has certain benefits over other Cloud Storage service providers. Let us have a look on the plus points of using Google Cloud Storage.

  • Cloud Computing : What Really Matters

    Cloud Computing and migration of IT into the cloud replace capital costs (capex) by operating costs (Opex). But, does Cloud Computing makes IT operations cheap?

  • Cloud Services for Your Everyday Life

    Cloud services for your everyday life starts from sharing content in Dropbox, Editing documents online to advanced features in online meetings.

  • Google App Engine and PHP : Beginners Guide

    Google App Engine now supports PHP. There is separate Plugin for WordPress. Support for phpMyAdmin and all PHP-MySQL web softwares and frameworks is available.

  • Surveillance System Hard Drive and Smart Video Monitoring

    Smart Video Monitoring Demands Dedicated Surveillance System Hard Drive for Faster I/O. In House Data Storage is Faster than Cloud Storage.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • The Importance of Voice and Style in Essay Writing April 1, 2023
  • What Online Casinos Have No Deposit Bonus in Australia March 30, 2023
  • Four Foolproof Tips To Never Run Out Of Blog Ideas For Your Website March 28, 2023
  • The Interactive Entertainment Serving as a Tech Proving Ground March 28, 2023
  • Is it Good to Run Apache Web server and MySQL Database on Separate Cloud Servers? March 27, 2023

About This Article

Cite this article as: Abhishek Ghosh, "Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx," in The Customize Windows, September 7, 2016, April 2, 2023, https://thecustomizewindows.com/2016/09/easy-steps-setup-lets-encrypt-ubuntu-16-04-nginx/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT