bee
💖 Chevereto Fan
This is a small tutorial to get free SSL certificates from LetsEncryt.org
# Informations
Google improves the ranking for SSL secured websites. Also the visitor feels better, when he used an secured service.
You can buy cheap SSL certificates (valid for 1 year) from Namecheap for less then 10 Dollar a year.
Since a while a new service is starts: https://letsencrypt.org/
They offer SSL certificates for free. The certificates are valid for 3 month and must then be renewed.
For creation of LE SSL certs I use an plugin, because it do all work for me. Also included to create cronjobs for automatic renewals of the certificates.
https://github.com/Neilpang/le
# Requirements
- SSH and root access and OpenSSL installed
- GIT
- IP address for your domain (NO shared IP)
- Nginx 1.9.x
- Debian 7.x and above or Ubuntu 14.04 and above
# Disclaimer
Use this tutorial on your own risk - no warranty or support provided!
#####################################################################
Step 1
Open your terminal and login to your server through SSH and change to your root directory, if you are not already in:
Step 2
Install GIT, if not already installed:
Step 3
Clone and install a Plugin for LetsEncrypt.
Step 4
If installation is successful you will see this:
Now close your terminal and open it again!
Step 5
Check your server config of your domain. If you have added
change that to
or delete it complete.
LetsEncrypt generate an folder in your webroot that starts with a dot ( http://yourdomain.com/.well-known/acme-challenge/) and if there is no access to them, you cannot get an certificate.
Step 6
Get an certificate for your domain. Start with the following command:
I just use the "issue" parameter - because I want to install the cert manually to my server.
Add the path to your webroot and add your domain name - without www and with www
That's the output:
Step 7 (optional)
To improve the security, generate "Forward Secrecy & Diffie Hellman Ephemeral Parameters":
Change to the directory
and run
Now you can go to your kitchen and take a coffee. Creation of the file will take a few minutes.
Step 8
Open you server config file for your domain
and change the settings as follow.
Add a second server part for port 80 and for redirect to port 443:
Change your existing settings and add the following code:
If you NOT generate the dhparam remove
from code.
Don't just delete your existing settings - just change the listen parameter and add the SSL code.
Save your settings and restart your server.
If everything fine, your webserver is now available at
https://www.yourdomain.com
Good luck ...
Torsten
# Informations
Google improves the ranking for SSL secured websites. Also the visitor feels better, when he used an secured service.
You can buy cheap SSL certificates (valid for 1 year) from Namecheap for less then 10 Dollar a year.
Since a while a new service is starts: https://letsencrypt.org/
They offer SSL certificates for free. The certificates are valid for 3 month and must then be renewed.
For creation of LE SSL certs I use an plugin, because it do all work for me. Also included to create cronjobs for automatic renewals of the certificates.
https://github.com/Neilpang/le
# Requirements
- SSH and root access and OpenSSL installed
- GIT
- IP address for your domain (NO shared IP)
- Nginx 1.9.x
- Debian 7.x and above or Ubuntu 14.04 and above
# Disclaimer
Use this tutorial on your own risk - no warranty or support provided!
#####################################################################
Step 1
Open your terminal and login to your server through SSH and change to your root directory, if you are not already in:
Code:
cd ~root
Step 2
Install GIT, if not already installed:
Code:
apt-get install git
Step 3
Clone and install a Plugin for LetsEncrypt.
Code:
git clone https://github.com/Neilpang/le.git
cd le
./le.sh install
Step 4
If installation is successful you will see this:
Code:
root:~/le# ./le.sh install
Installing to /root/.le
Installed to /root/.le/le.sh
OK, Close and reopen your terminal to start using le
Installing cron job
no crontab for root
no crontab for root
OK
Now close your terminal and open it again!
Step 5
Check your server config of your domain. If you have added
Code:
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
change that to
Code:
location ~ /\. {
access_log off;
log_not_found off;
}
or delete it complete.
LetsEncrypt generate an folder in your webroot that starts with a dot ( http://yourdomain.com/.well-known/acme-challenge/) and if there is no access to them, you cannot get an certificate.
Step 6
Get an certificate for your domain. Start with the following command:
Code:
le issue /path/to/your/webroot yourdomain.com www.yourdomain.com
I just use the "issue" parameter - because I want to install the cert manually to my server.
Add the path to your webroot and add your domain name - without www and with www
That's the output:
Code:
root:~/le# le issue /path/to/your/webroot yourdomain.com www.yourdomain.com
Creating account key
Use default length 2048
Account key exists, skip
Skip register account key
Creating domain key
Use length 2048
Creating csr
Multi domain=DNS:www.yourdomain.com
Verify each domain
Getting token for domain=yourdomain.com
Getting token for domain=www.yourdomain.com
Verifying:yourdomain.com
Success
Verifying:www.yourdomain.com
Success
Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Your cert is in /root/.le/yourdomain.com/yourdomain.com.cer
The intermediate CA cert is in /root/.le/yourdomain.com/ca.cer
And the full chain certs is there: /root/.le/yourdomain.com/fullchain.cer
Step 7 (optional)
To improve the security, generate "Forward Secrecy & Diffie Hellman Ephemeral Parameters":
Change to the directory
Code:
cd /etc/ssl/certs/
and run
Code:
openssl dhparam -out dhparam.pem 4096
Now you can go to your kitchen and take a coffee. Creation of the file will take a few minutes.
Step 8
Open you server config file for your domain
Code:
nano /etc/nginx/conf.d/yourdomain.com.conf
and change the settings as follow.
Add a second server part for port 80 and for redirect to port 443:
Code:
server{
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://www.yourdomain.com$request_uri;
}
Change your existing settings and add the following code:
Code:
listen 443 ssl http2;
server_name www.yourdomain.com;
ssl_certificate /root/.le/yourdomain.com/yourdomain.com.cer;
ssl_certificate_key /root/.le/yourdomain.com/yourdomain.com.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000" always;
If you NOT generate the dhparam remove
Code:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
from code.
Don't just delete your existing settings - just change the listen parameter and add the SSL code.
Save your settings and restart your server.
Code:
root:~/le# service nginx restart
If everything fine, your webserver is now available at
https://www.yourdomain.com
Good luck ...
Torsten