Linode: How To Secure Nginx with Let's Encrypt on Ubuntu 12.04

| Servers | 25 seen

Encrypted HTTPS websites are pretty much a hot topic nowadays. I have seen a lot noncommercial websites and blogs using HTTPS protocol lately.  I believe cheap prices for certificates and possible SEO boost from Google are pushing more and more to add HTTPS. Including me!

In fact this article is first since my blog is HTTPS, to celebrate that I decided to write shot tutorial how you too can enable HTTPS on Ubuntu 12.04 running Nginx and optionally running a Drupal site on Linode VPS.

Install free TLS/SSL certificates

Wait, did I just said a free certificate? Totally free? No hidden costs? Yup, that's exactly what I've said, - Let's Encrypt is a new Certificate Authority that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, letsencrypt, that attempts to automate most (if not all) of the required steps. 

Install guide

You can read article on Digital Ocean - How To Secure Nginx with Let's Encrypt on Ubuntu 14.04, most of the written bellow is originally taken from that article, just adapted for Ubuntu 12.04 and Linode.

So why Linode and why Ubuntu 12.04 when there is 14.04 already out there. Well.. Linode just rocks I have been using it for some five years already, I have served dozens (if not hundreds of sites on Linode). Ubuntu 12.04 instead of 14.04? Well, this is related to Drupal and PHP version 14.04 ships with. Mine Drupal powered blog is not yet ready to befriend with php 5.5. 

​Update your server's package manager 

sudo apt-get update

Then install the git and bc packages with apt-get:

sudo apt-get -y install git bc

We can now clone the Let’s Encrypt repository in /opt with this command:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

I'll show you how to use the Standalone plugin to obtain an SSL certificate.

Lets open port 80

sudo service nginx stop

Change directory to letsencrypt

cd /opt/letsencrypt

​Now use the Standalone plugin by running this command:

sudo ./letsencrypt-auto certonly --standalone

After letsencrypt initializes, you will be prompted for some information.

Note that if you want a single cert to work with multiple domain names (e.g. example.com and www.example.com), be sure to include all of them.

After obtaining the cert, you will have the following PEM-encoded files:

  • cert.pem: Your domain's certificate
  • chain.pem: The Let's Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate's private key

It's important that you are aware of the location of the certificate files that were just created, so you can use them in your web server configuration. The files themselves are placed in a subdirectory in/etc/letsencrypt/archive. However, Let's Encrypt creates symbolic links to the most recent certificate files in the /etc/letsencrypt/live/your_domain_name directory. Because the links will always point to the most recent certificate files, this is the path that you should use to refer to your certificate files.

You are almost done here, now it's time to configure nginx.conf

sudo nano /opt/etc/nginx/sites-available/reinisfischer.com

Within your server { block, add the following lines but replace all of the instances of reinisfischer.com with your own domain:


listen 443 ssl; 
server_name www.reinisfischer.com; 
ssl_certificate /etc/letsencrypt/live/www.reinisfischer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.reinisfischer.com/privkey.pem; 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; 
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Lastly, outside of the original server block (that is listening on HTTPS, port 443), add this server block to redirect HTTP (port 80) to HTTPS. Be sure to replace reinisfischer.comt with your own domain name:


server { 
listen 80; 
server_name reinisfischer.com; 
return 301 https://$host$request_uri; 
}

Restart Nginx

sudo service nginx restart

The Let's Encrypt TLS/SSL certificate is now in place. At this point, you should test that the TLS/SSL certificate works by visiting your domain via HTTPS in a web browser.

Congratulations! You have just enabled secure HTTPS pages for your website. Now you might to enable auto renewal for your certificates acquired from Let's Encrypt, as they last only 90 days, I recommend to follow this article on Digital Ocean to learn more: 

Add new comment