DEV Community

SaKKo
SaKKo

Posted on • Updated on

Using Let's Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Hi, I'm just moving my notes from gitbook (legacy) to dev.to. I love it hear, it's markdown and it's quick. I hope you find this useful.

Installation

All you need is certbot

https://certbot.eff.org/all-instructions
or
https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html
to be more specific on Ubuntu 18.04

This is the installation instructions

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
Enter fullscreen mode Exit fullscreen mode

NOTE I didn't include python-certbot-apache because I like to do things on my own and I usually use Nginx.

For single domain

I'm assuming you are using normal config path for nginx which should be located at /etc/nginx/sites-enable

So, we will create a new file called /etc/nginx/sites-enable/letsencrypt.conf (you should create this in sites-available and symlink it to sites-enable)

Now, this should be the content of letsencrypt.conf

server {
  listen 80 default_server;
  server_name _;
  index index.html index.htm index.nginx-debian.html;
  root /var/www/html;
  location ^~ /.well-known/acme-challenge {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://$host$request_uri;
  }
}
Enter fullscreen mode Exit fullscreen mode

This will make sure that all request on port 80 with location /.well-known/acme-challenge is served correctly.

Any other path should be redirected to 443

Now you need to setup your dns for the domain you want. It should be A tag and point to this server. Note, you should change www.example.com and x.x.x.x to your domain and server

www.example.com     A     x.x.x.x
Enter fullscreen mode Exit fullscreen mode

It may take awhile or a second, depends on your luck. Just test this config on https://dnschecker.org/

Once dnschecker show the correct result you just need to run

sudo certbot certonly --webroot -w /var/www/html -d www.example.com
Enter fullscreen mode Exit fullscreen mode

You should get chain and keys located here

/etc/letsencrypt/live/www.example.com/fullchain.pem
/etc/letsencrypt/live/www.example.com/privkey.pem
Enter fullscreen mode Exit fullscreen mode

Generating dhparams to use with ssl_dhparam config

sudo mkdir /etc/nginx/dhparams
sudo openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 2048
Enter fullscreen mode Exit fullscreen mode

Example nginx config /etc/nginx/sites-enable/www.example.com.conf

server {
    ssl_prefer_server_ciphers on;

    # Add HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    client_max_body_size 20M;
    listen       443;
    server_name  www.example.com;
    root /home/ubuntu/your_app;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # you need to generate this if you want to use dhparam

    #prevent poodle
    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

}
Enter fullscreen mode Exit fullscreen mode

For wildcard

You need to run this command first (don't forget to change *.example.com to your domain)

sudo certbot certonly --manual -d *.example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Enter fullscreen mode Exit fullscreen mode

You will get instructions on how to setup. It will tell you to setup txt dns record. Once you complete setup your txt dns record, you should confirm with https://dnschecker.org/ before hitting enter.

If nothing is wrong, you should get wildcard ssl in this path if you are using *.example.com

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
Enter fullscreen mode Exit fullscreen mode

You just have to setup nginx accordingly and it should be done.

I'm sure there are better ways than this but this is my old note.
If anyone have better instructions, please let me know so I can share with other as well.

Discussion (0)