This guide is intended to walk you through installation of a valid SSL on your server for your site at example.com.
This example is using root user, you may need to use sudo if you encounter problems such as write permissions.
- Install acme.sh on your server. This will create a
acme.shfolder in your home directory and more importantly create an everyday cron job to check and renew certificates if needed. - Install nginx server (different per distibution so just make sure you have it up and running)
NOTE: It is important that you don't deny access to hidden files in your system. Check your nginx config file for this:
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}and remove deny all line from above.
Command: acme.sh --issue -d example.com -w /srv/www/example.com
where example.com is the main domain we issue cerficate and /srv/www/example.com where your nginx root's configuration.
Generate/issued certs will be placed in ~/.acme.sh/example.com/
NOTE:
- You must point your A record to the domain properly to the domain.
- Use
sudoif needed. - You must have write access to the nginx's root folder
Creating account key
Use default length 2048
Account key exists, skip
Skip register account key
Creating domain key
Use length 2048
Creating csr
Multi domain=DNS:www.example.com.com
Verify each domain
Getting token for domain=example.com.com
Getting token for domain=www.example.com.com
Verifying:example.com.com
Success
Verifying:www.example.com.com
Success
Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Your cert is in /root/.acme.sh/example.com.com/example.com.com.cer
The intermediate CA cert is in /root/.acme.sh/example.com.com/ca.cer
And the full chain certs is there: /root/.acme.sh/example.com.com/fullchain.cerModify your nginx config and add the following below in your server block.
server {
listen 443 ssl;
ssl_certificate /root/.acme.sh/example.com/fullchain.cer; # use fullchain.cer for complete certificate
ssl_certificate_key /root/.acme.sh/example.com/example.com.key; # keep this private as much as possible
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## Enable below if you will follow `Improve Security` below
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# ssl_dhparam /etc/ssl/certs/dhparams.pem;
# add_header Strict-Transport-Security max-age=31536000;
}BONUS: Force https config as per below:
To improve security, generate Forward Secrecy & Diffie Hellman Ephemeral Parameters
cd /etc/ssl/certs/openssl dhparam -out dhparams.pem 4096NOTE: If you follow this step, uncomment needed lines in nginx config above. But hey grab a coffee, that will surely take a while. :)
Test and reload nginx server
nginx -t
service nginx reload or whatever as per your distro.
https://www.ssllabs.com/ssltest/analyze.html?d=example.com or head straight here and type in your https site url.
Visit your site at https://example.com and you should see it properly without errors if everything went well.
If you need to transfer the certificate to another location, see this and make the corresponding update in your nginx config file.