Setup free SSL in 5 minutes

SSL - (Secure Sockets Layer) is a security protocol that provides a secure channel between two machines operating over internet or internal network.

Steps to setup SSL through Let’s Encrypt -

  • Install certbot software
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
  • Obtain SSL Certificate
sudo certbot --nginx -d hello.com -d www.hello.com

If this is your first time running certbot, you will be prompted to enter some details and agree to terms and conditions. After this certbot will communicate with Let’s Encrypt server and run a challenge that you control the domain you are requesting a certificate for.

Certbot will complete with a message telling you about the location of certificates stored. At this point certificates get downloaded and installed.

Now your nginx.conf should be reconfigured as

server {
     server_name _;

     ssl on;
     listen 443 ssl;                                                        # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/hello.com/fullchain.pem;   # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/hello.com/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf;                       # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;                         # managed by Certbot

    #Enabling application to being included via the iframes
    add_header X-Frame-Options ALLOW;

    # Applications root
    root /var/www/_site;

    location /apple-app-site-association {
    default_type application/pkcs7-mime;
    }

    location ~ /.well-known {
    allow all;
    }

    location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
    }
    error_page 500 502 504 /500.html;
    error_page 503 @maintenance;
    
    location @maintenance {
        rewrite ^(.*)\$ /503.html break;
        }
    
        if (-f \$document_root/../tmp/maintenance.txt) {
        return 503;
        }
    
    #    Redirect non-https traffic to https
        if ($scheme != "https") {
            return 301 https://$host$request_uri;
        } # managed by Certbot
}
    
server {
    listen 80;
    rewrite ^/(.*) https://\$host\$request_uri permanent;
}
  • Now check your configurations
sudo nginx -t
sudo service nginx restart

  • Now try to open your site with https in the browser. It should be working.

  • Test your server with - https://www.ssllabs.com/ssltest,
    it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem file and adding it to our server block.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Place anywhere following line in server block and then restart your Nginx.

ssl_dhparam /etc/ssl/certs/dhparam.pem

Thats all!

comments powered by Disqus