To setup letsencrypt in Ubuntu, first go to SSH into your server. In this case, i will use my own domain as example. I found few issues when doing this step. If you facing similar issues in setup letsencrypt including “invalid certificate” on NGINX, This article will help you to fix that.
1. Install manual certbot (Not working)
1 2 | sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto sudo chmod a+x /usr/sbin/certbot-auto |
And not working where i got Python dependencies issue while trigger certbot-auto.
HERE ARE THE RIGHT STEP TO INSTALL LETSENCRYPT USING “letsecrypt” command2. Install letsencrypt from package
1 2 | sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y sudo apt-get install certbot |
3. Configure Letsencrypt validation
We need to setup validation through port 80 of our domain. Here is the configuration for NGINX
1 2 3 4 5 6 7 8 9 10 11 | server { server_name www.yodiaditya.com yodiaditya.com; listen 80; location ~ /\.well-known/acme-challenge/ { allow all; root /var/www/letsencrypt; try_files $uri =404; break; } } |
Don’t forget to create folder
1 | sudo mkdir /var/www/letsencrypt |
1 | sudo service nginx restart |
4. Generate Letsencrypt SSL
1 | sudo letsencrypt certonly -a webroot –webroot-path=/var/www/letsencrypt -m youremailaddress –agree-tos -d www.yodiaditya.com |
5. Setup NGINX SSL working with wordpress
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | server { server_name www.yodiaditya.com yodiaditya.com; listen 80; return 301 https://www.yodiaditya.com$request_uri; location ~ /\.well-known/acme-challenge/ { allow all; root /var/www/letsencrypt; try_files $uri =404; break; } } server { listen 443 ssl; listen [::]:443 ssl; server_name www.yodiaditya.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.yodiaditya.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.yodiaditya.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; #ssl_session_cache shared:SSL:10m; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS; # ciphers chosen for forward secrecy and compatibility # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # enable session resumption to improve https performance # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html # ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # add_header Content-Security-Policy "default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data: https://www.google-analytics.com/ https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net https://maps.googleapis.com/ https://d1l7z5ofrj6ab8.cloudfront.net/ https://ajax.googleapis.com/; img-src ‘self’ data: https://mts.googleapis.com https://maps.gstatic.com/ https://d1l7z5ofrj6ab8.cloudfront.net/ https://csi.gstatic.com/ https://ssl.google-analytics.com https://maps.googleapis.com/ https://s-static.ak.facebook.com https://assets.zendesk.com; style-src ‘self’ ‘unsafe-inline’ data: https://d1l7z5ofrj6ab8.cloudfront.net/ https://csi.gstatic.com/ https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com/ https://assets.zendesk.com; font-src ‘self’ https://fonts.gstatic.com/ https://maxcdn.bootstrapcdn.com/ https://themes.googleusercontent.com; child-src https://happyfoxchat.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src ‘none’"; # add_header Public-Key-Pins ‘pin-sha256="TcmOEUd/PwZtaEDWppHx70TjB+IRGCe5ONIqcbMjBBk="; max-age=31536000; includeSubDomains’; root /path; client_body_timeout 460; client_header_timeout 460; send_timeout 460; client_max_body_size 10m; keepalive_timeout 300 300; access_log /var/log/nginx/access.log; index index.php index.html index.htm; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location / { # This is cool because no php is touched for static content try_files $uri $uri/ /index.php?$args; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ .php$ { fastcgi_send_timeout 3800; fastcgi_read_timeout 3800; fastcgi_connect_timeout 2800; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~* .(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } # deny access to .htaccess files, if Apache document root # concurs with nginx one # location ~ /.ht { deny all; } } |