Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

Some of the readers of this website asked for a guide on Let’s Encrypt on Ubuntu 16.04. Here Are Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx With HSTS, ALPN on HTTP/2, OCSP Stapling, Public Key Pinning (HPKP), Cipher. Needless to say – Let’s Encrypt is free SSL certificate. You need not to read guides on the same various web hosts. They have wrongs and some stuffs are copy-pasted from professional blogs. You will get A+ on SSL Labs with 100 on certificate, 90 on protocol support, 85 on key exchange and 85 on cipher strength.

 

We are showing old method because Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. Official documentation is here :

Otherwise we can make it more easy with one command.

 

Prerequisite Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx and Follow This Guide

 

You need Ubuntu 16.04 LTS and Nginx-Extras from Ubuntu’s Repo. ALPN support on HTTP/2 needs newest version of OpenSSL. If you have a blank Ubuntu 16.04 LTS server, simply run :

Make sure that you have pointed the domain name via DNS and you can see your website’s default webpage on browser. If you do not have domain, you can read this list of free domain names. Use Hurricane Electric DNS to point. You need one email. Now open the default file :

Add this :

Run :

if successful then :

 

Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx

 

We will keep all file names as default path and file names. We are using our domain abhishekghosh.pro in this example. You must change abhishekghosh.pro to your domain name while running the commands. Default root of Nginx is /var/www/html for this Ubuntu 16.04. Change the root path if needed.

Let us run the commands :

As we informed before, we will use the new from repo as Ubuntu repo has old stuff. So we are cloning from https://github.com/letsencrypt/letsencrypt to the directory /opt/letsencrypt. Technically we should clone from https://github.com/certbot/certbot to the directory /opt/certbot. That is not done as you may install Ubuntu package later and name will get confusing plus we will release updated new guide to cover all (you are kept older sounding, but on new!). We will copy all files to /opt/letsencrypt. You should not delete this directory later. Now we will clone the Let’s Encrypt repo :

Keep it in mind – you will run this command on this directory every 15 days or so to get the latest update :

Now we are running command for :

I ran only for the domain abhishekghosh.pro. If I need to add www.abhishekghosh.pro then I can combine that in this way :

Obviously I can run only for www later :

Run the first command (or the third one if www one is your main domain) as with one domain it is easy to troubleshoot. You need real root for all the subdomains. Virtual hosts or cname should be set rightly.

Remember – letsencrypt is old name, it is certbot since May 2016.

After running the command, a wizard will start to prompt, you’ll need to enter an email address that will be used for notices and lost key recovery, you must agree to the Let’s Encrypt Subscribe Agreement. Simple. After these steps you’ll get this output :

At the location /etc/letsencrypt/live/abhishekghosh.pro, we have everything. Let us go there :

/etc/letsencrypt/live/abhishekghosh.pro is symlinked to /etc/letsencrypt/archive. We will generate Diffie-Hellman key (the command will take time to end) :

We will wget this certificate for OSCP stapling :

check the files :

Now, first create a backup.

Change the name abhishekghosh-pro-certs-Sept-2016 to your name and date. again do ls -al, you’ll see the tar ball. First download it via FTP on your computer. We used do it religiously for paid SSL certificates. In some wrong, if all get deleted, site will remain down.

This is the right configuration :

ssl_stapling_verify off is for protecting from error. add_header Public-Key-Pins is commented out because you should read Public-Key-Pins and Public-Key-Pins Reporting guide for their setup. You will do it later. Content-Security-Policy-Report-Only is commented out because you need to read Content-Security-Policy and Content-Security-Policy-Report-Only matters. You can do these two points later.

Your normal virtual hosts file is /etc/nginx/sites-available/default. You have stuffs like :

You will make the copy of the whole stanza and paste at the bottom. You’ll edit to make the second pasted entry’s port as :

Then add the directives (check Nginx official documentation for where to paste it). You need to add a 301 redirection :

Run :

if successful then :

If everything is fine then go to SSL Labs and test your result. After doing the above two, you’ll get correct, optimized settings.

By the way, you need to work to get listed on HTTPS Everywhere. Otherwise HSTS actually not work.
You can see our site on SSL Labs :

 

Problems With Let’s Encrypt Renewal on Ubuntu 16.04, Nginx

 

If you visit the official git :

They clearly written that letsencrypt is old name, it is certbot since May 2016. There are guides which are not updated. You can test renew with dry run :

You can try renew :

In case you face trouble, visit :

Tagged With https://thecustomizewindows com/2016/09/easy-steps-setup-lets-encrypt-ubuntu-16-04-nginx/ , Diffie–Hellman (D-H) key exchange , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1831 zEO9mli6tu-U_ZcQ5cqc5B1gKU7dcqknb8dp3qCMciM2OJpKC_6XxP1XWU3SQmpl 8fc6e57c395eb51a85632f8abd6d8b1cd50dff2c&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , lets encrypt how to change tls-alpn nginx , lets encrypt nginx django ubuntu 16 04 , lets encrypt on ubuntu 16 04 , letsencrypt ocsp