Yodi Aditya

Setup Letsencrypt in AWS EC2 Ubuntu Yakkety, Xenial or old version and fix issues NGINX

To setup letsencrypt in Ubuntu, first go to SSH into your server. In this case, i will use my own domain as example. I found few issues when doing this step. If you facing similar issues in setup letsencrypt including “invalid certificate” on NGINX, This article will help you to fix that.

1. Install manual certbot (Not working)

1
2
sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto
sudo chmod a+x /usr/sbin/certbot-auto

And not working where i got Python dependencies issue while trigger certbot-auto.

HERE ARE THE RIGHT STEP TO INSTALL LETSENCRYPT USING “letsecrypt” command

2. Install letsencrypt from package

1
2
sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
sudo apt-get install certbot

3. Configure Letsencrypt validation
We need to setup validation through port 80 of our domain. Here is the configuration for NGINX

1
2
3
4
5
6
7
8
9
10
11
server {
    server_name www.yodiaditya.com yodiaditya.com;
    listen 80;

    location ~ /\.well-known/acme-challenge/ {
        allow all;
        root /var/www/letsencrypt;
        try_files $uri =404;
        break;
   }
}

Don’t forget to create folder

1
sudo mkdir /var/www/letsencrypt
and restart the server with
1
sudo service nginx restart

4. Generate Letsencrypt SSL

1
sudo letsencrypt certonly -a webroot –webroot-path=/var/www/letsencrypt -m youremailaddress –agree-tos -d www.yodiaditya.com

5. Setup NGINX SSL working with wordpress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
server {
    server_name www.yodiaditya.com yodiaditya.com;
    listen 80;

    return 301 https://www.yodiaditya.com$request_uri;

    location ~ /\.well-known/acme-challenge/ {
                allow all;
                root /var/www/letsencrypt;
                try_files $uri =404;
                break;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.yodiaditya.com;
    ssl on;

    ssl_certificate      /etc/letsencrypt/live/www.yodiaditya.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.yodiaditya.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    #ssl_session_cache shared:SSL:10m;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

    # ciphers chosen for forward secrecy and compatibility
    # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
    #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # enable session resumption to improve https performance
    # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
 #   ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    # add_header Content-Security-Policy "default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: https://www.google-analytics.com/ https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net https://maps.googleapis.com/ https://d1l7z5ofrj6ab8.cloudfront.net/ https://ajax.googleapis.com/; img-src ‘self’ data: https://mts.googleapis.com https://maps.gstatic.com/ https://d1l7z5ofrj6ab8.cloudfront.net/ https://csi.gstatic.com/ https://ssl.google-analytics.com https://maps.googleapis.com/ https://s-static.ak.facebook.com https://assets.zendesk.com; style-src ‘self’ ‘unsafe-inline’ data: https://d1l7z5ofrj6ab8.cloudfront.net/ https://csi.gstatic.com/ https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com/ https://assets.zendesk.com; font-src ‘self’ https://fonts.gstatic.com/ https://maxcdn.bootstrapcdn.com/ https://themes.googleusercontent.com; child-src https://happyfoxchat.com  https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src ‘none’";
    # add_header Public-Key-Pins ‘pin-sha256="TcmOEUd/PwZtaEDWppHx70TjB+IRGCe5ONIqcbMjBBk="; max-age=31536000; includeSubDomains’;

    root    /path;

    client_body_timeout  460;
    client_header_timeout 460;
    send_timeout 460;
    client_max_body_size 10m;
    keepalive_timeout       300 300;

    access_log  /var/log/nginx/access.log;
    index  index.php index.html index.htm;

    location = /favicon.ico {
            log_not_found off;
            access_log off;
    }

    location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
    }

    location / {
            # This is cool because no php is touched for static content
            try_files $uri $uri/ /index.php?$args;
    }


    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ .php$ {
            fastcgi_send_timeout 3800;
            fastcgi_read_timeout 3800;
            fastcgi_connect_timeout 2800;
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include fastcgi_params;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
            expires max;
            log_not_found off;
    }

    # deny access to .htaccess files, if Apache document root
    # concurs with nginx one
    #
    location ~ /.ht {
            deny  all;
    }
}

yodi

,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.