• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.
  • Chevereto Support CLST

    Support response

    Support checklist

[Tutorial] Free SSL from LetsEncrypt | Setup for Nginx 1.9.x

bee

bee

💖 Chevereto Fan
This is a small tutorial to get free SSL certificates from LetsEncryt.org

# Informations
Google improves the ranking for SSL secured websites. Also the visitor feels better, when he used an secured service.

You can buy cheap SSL certificates (valid for 1 year) from Namecheap for less then 10 Dollar a year.

Since a while a new service is starts: https://letsencrypt.org/
They offer SSL certificates for free. The certificates are valid for 3 month and must then be renewed.

For creation of LE SSL certs I use an plugin, because it do all work for me. Also included to create cronjobs for automatic renewals of the certificates.
https://github.com/Neilpang/le

# Requirements

- SSH and root access and OpenSSL installed
- GIT
- IP address for your domain (NO shared IP)
- Nginx 1.9.x
- Debian 7.x and above or Ubuntu 14.04 and above


# Disclaimer

Use this tutorial on your own risk - no warranty or support provided!

#####################################################################

Step 1

Open your terminal and login to your server through SSH and change to your root directory, if you are not already in:

Code: 
cd ~root


Step 2

Install GIT, if not already installed:

Code: 
apt-get install git


Step 3

Clone and install a Plugin for LetsEncrypt.

Code: 
git clone https://github.com/Neilpang/le.git

cd le

./le.sh install

Step 4

If installation is successful you will see this:

Code: 
root:~/le# ./le.sh install

Installing to /root/.le
Installed to /root/.le/le.sh
OK, Close and reopen your terminal to start using le
Installing cron job
no crontab for root
no crontab for root
OK

Now close your terminal and open it again!


Step 5

Check your server config of your domain. If you have added

Code: 
  location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
  }

change that to

Code: 
  location ~ /\. {
  access_log off;
  log_not_found off;
  }

or delete it complete.

LetsEncrypt generate an folder in your webroot that starts with a dot ( http://yourdomain.com/.well-known/acme-challenge/) and if there is no access to them, you cannot get an certificate.


Step 6

Get an certificate for your domain. Start with the following command:

Code: 
le issue /path/to/your/webroot  yourdomain.com  www.yourdomain.com

I just use the "issue" parameter - because I want to install the cert manually to my server.
Add the path to your webroot and add your domain name - without www and with www


That's the output:

Code: 
root:~/le# le issue /path/to/your/webroot  yourdomain.com  www.yourdomain.com
Creating account key
Use default length 2048
Account key exists, skip
Skip register account key
Creating domain key
Use length 2048
Creating csr
Multi domain=DNS:www.yourdomain.com
Verify each domain
Getting token for domain=yourdomain.com
Getting token for domain=www.yourdomain.com
Verifying:yourdomain.com
Success
Verifying:www.yourdomain.com
Success
Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Your cert is in /root/.le/yourdomain.com/yourdomain.com.cer
The intermediate CA cert is in /root/.le/yourdomain.com/ca.cer
And the full chain certs is there: /root/.le/yourdomain.com/fullchain.cer


Step 7 (optional)

To improve the security, generate "Forward Secrecy & Diffie Hellman Ephemeral Parameters":

Change to the directory

Code: 
cd /etc/ssl/certs/

and run

Code: 
openssl dhparam -out dhparam.pem 4096

Now you can go to your kitchen and take a coffee. Creation of the file will take a few minutes.


Step 8

Open you server config file for your domain

Code: 
nano /etc/nginx/conf.d/yourdomain.com.conf

and change the settings as follow.

Add a second server part for port 80 and for redirect to port 443:

Code: 
server{
  listen 80;
  server_name yourdomain.com www.yourdomain.com;
  return 301 https://www.yourdomain.com$request_uri;
}

Change your existing settings and add the following code:

Code: 
  listen 443 ssl http2;
  server_name www.yourdomain.com;
  ssl_certificate  /root/.le/yourdomain.com/yourdomain.com.cer;
  ssl_certificate_key /root/.le/yourdomain.com/yourdomain.com.key;
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 60m;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  add_header Strict-Transport-Security "max-age=31536000" always;

If you NOT generate the dhparam remove

Code: 
ssl_dhparam /etc/ssl/certs/dhparam.pem;

from code.

Don't just delete your existing settings - just change the listen parameter and add the SSL code.


Save your settings and restart your server.

Code: 
root:~/le# service nginx restart

If everything fine, your webserver is now available at

https://www.yourdomain.com


Good luck ...

Torsten
 
Nice one. I see alot of people using Chevereto and CloudFlare Free SSL but what they don't know is that those SSL certificates don't work with older browsers and computers so it will make your website unaccessible.
 
You must log in or register to reply here.
Back
Top