How to install letsencrypt SSL certificates for Nginx server block on Debian Jessie

Tuesday April 26, 2016 () Last updated May 06, 2016 17:14:03
Let's Encrypt

Let's Encrypt (letsencrypt) is a new Certificate Authority (CA) that provides an easy way to obtain and install free trusted TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, letsencrypt, that automate most, if not all of the required setup steps.

This demonstration will show how to install letsencrypt to an existing already running Nginx server by creating a new server block or virtual host, on a Debian Jessie subdomain.

Let us begin by fetching the letsencrypt client:

apt-get update
apt-get install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Use Webroot plugin

Webroot plugin serves as authenticator during the certificates request process. You have to use the plugin since we are installing to a running server by creating a hidden directory .well-known in your existing root. In our case our existing root is /usr/share/nginx/html. A special file is placed in this directory by letsencrypt client during the certificate request.

cd /usr/share/nginx/html
mkdir .well-known

Let's go back to our config and add the following to your existing default server block that listens to port 80. Usually the file you edit is /etc/nginx/sites-enabled/default. This may be different if you changed the default installation.

location ~ /.well-known {
    allow all;
}

Save and exit and then reload Nginx configuration.

/etc/init.d/nginx reload

Request for certificate

We now request certificates against a domain or domains. In this demonstration we request certicate for a single domain. We use secure.kahimyang.info as our domain. Replace every occurence of this domain name with your own from this point onwards. For multiple domain requests add multiple -d <domain-name> in the following command.

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d secure.kahimyang.info

This prompts for your email address which is used for notices, and lost key recovery. You must also agree to the Let's Encrypt Subscribe Agreement. If everything was successful, you should see an output message detailing your credentials, including the expiry date of your certificates which is 90 days.

Here are those files pointed to by the symbolic links:

  • cert.pem - Domain's certificate
  • chain.pem - letsncrypt chain certificate
  • fullchain.pem - cert.pem and chain.pem combined
  • privkey.pem - Your certificate's private key

Generate Strong Diffie-Hellman Group

To further increase security, generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This takes few minutes but when it's done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.

Configure TLS/SSL on your server block

Locate your Nginx config sites-enabled directory and create your HTTPS server block which listens to port 443. The root of our secure site is /usr/share/nginx/html/secure. Replace this with your own.

server {
      listen 443;
      server_name  secure.kahimyang.info;
      ssl on;
      ssl_certificate /etc/letsencrypt/live/secure.kahimyang.info/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/secure.kahimyang.info/privkey.pem;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_stapling on;
      ssl_stapling_verify on;
      add_header Strict-Transport-Security max-age=15768000;


      location / {
          root   /usr/share/nginx/html/secure; #replace with your own
          index  index.html index.htm;
      }
}

#Redirect back to our secure site
server {
    listen 80;
    server_name secure.kahimyang.info;
    rewrite ^(.*) https://secure.kahimyang.info$1 permanent;
}

Restart Nginx configuration but test your configuration first and reload if no errors.

/etc/init.d/nginx configtest 
/etc/init.d/nginx reload

Setup auto renewal

Let's Encrypt certificates are valid for 90 days, it's recommended however that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let's Encrypt client with the renew option.

Use the following command to renew. This will renew certificate for all installed domains.

/opt/letsencrypt/letsencrypt-auto renew

To test the renewal process, use the following

/opt/letsencrypt/letsencrypt-auto renew  --dry-run

To ensure your certificates won't get outdated is to create a cron job that will periodically execute the automatic renewal command for you. The renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration. The cron job that followes executes every Monday at 2:45am an reloads Nginx 5 minutes later.

crontab -e

Add the following lines

40 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
45 2 * * 1 /etc/init.d/nginx reload

Update letsencrypt client

Whenever new updates are available for the client, you can update your local copy by running a git pull from inside the Let's Encrypt directory:

cd /opt/letsencrypt
git pull

That's it. Now you can check your configuration score at the Qualys SSL labs site here https://www.ssllabs.com/ssltest/analyze.html. Your score should be A+. Good luck!


1,136

Comments (How to install letsencrypt SSL certificates for Nginx server block on Debian Jessie)