Skip to content

Instantly share code, notes, and snippets.

@dorelljames
Last active November 13, 2024 22:47
Show Gist options
  • Save dorelljames/ae589f52f735949e3b678b6191804c59 to your computer and use it in GitHub Desktop.
Save dorelljames/ae589f52f735949e3b678b6191804c59 to your computer and use it in GitHub Desktop.
SSL via Let's Encrypt (nginx server)

Nginx SSL via Let's Encrypt and acme.sh

This guide is intended to walk you through installation of a valid SSL on your server for your site at example.com. This example is using root user, you may need to use sudo if you encounter problems such as write permissions.

Pre-requisites

  • Install acme.sh on your server. This will create a acme.sh folder in your home directory and more importantly create an everyday cron job to check and renew certificates if needed.
  • Install nginx server (different per distibution so just make sure you have it up and running)

NOTE: It is important that you don't deny access to hidden files in your system. Check your nginx config file for this:

location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
}

and remove deny all line from above.

Issuing a certificate

Command: acme.sh --issue -d example.com -w /srv/www/example.com

where example.com is the main domain we issue cerficate and /srv/www/example.com where your nginx root's configuration. Generate/issued certs will be placed in ~/.acme.sh/example.com/

NOTE:

  • You must point your A record to the domain properly to the domain.
  • Use sudo if needed.
  • You must have write access to the nginx's root folder

Sample success issue of certification

Creating account key
Use default length 2048
Account key exists, skip
Skip register account key
Creating domain key
Use length 2048
Creating csr
Multi domain=DNS:www.example.com.com
Verify each domain
Getting token for domain=example.com.com
Getting token for domain=www.example.com.com
Verifying:example.com.com
Success
Verifying:www.example.com.com
Success
Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Your cert is in /root/.acme.sh/example.com.com/example.com.com.cer
The intermediate CA cert is in /root/.acme.sh/example.com.com/ca.cer
And the full chain certs is there: /root/.acme.sh/example.com.com/fullchain.cer

Updating nginx config

Modify your nginx config and add the following below in your server block.

server {
    listen 443 ssl;
    ssl_certificate /root/.acme.sh/example.com/fullchain.cer; # use fullchain.cer for complete certificate
    ssl_certificate_key /root/.acme.sh/example.com/example.com.key; # keep this private as much as possible

    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ## Enable below if you will follow `Improve Security` below
    # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    # ssl_dhparam /etc/ssl/certs/dhparams.pem;
    # add_header Strict-Transport-Security max-age=31536000;
}

BONUS: Force https config as per below:

Improve security

To improve security, generate Forward Secrecy & Diffie Hellman Ephemeral Parameters

cd /etc/ssl/certs/
openssl dhparam -out dhparams.pem 4096

NOTE: If you follow this step, uncomment needed lines in nginx config above. But hey grab a coffee, that will surely take a while. :)

Voila! Success

Test and reload nginx server

nginx -t service nginx reload or whatever as per your distro.

Testing SSL Quality at Qually SSL Labs

https://www.ssllabs.com/ssltest/analyze.html?d=example.com or head straight here and type in your https site url.

Visit your site at https://example.com and you should see it properly without errors if everything went well.

Transferring location of certificates

If you need to transfer the certificate to another location, see this and make the corresponding update in your nginx config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment