Overview
Configure the SSL for the domain
mydomain.com
Set up the web root at
/var/www/mydomain.com
Install Certbot
1. Install Certbot
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot
Obtain SSL Certificate
1. Create /.well-known in web root path of your site
sudo mkdir /var/www/mydomain.com/.well-known
2. Update your site nginx configuration
sudo nano /etc/nginx/sites-available/mydomain.conf
server { server_name mydomain.com; root /var/www/mydomain.com; ... # Add this to your server block location ~ /.well-known { allow all; } ... }
3. Restart NGINX
sudo service nginx restart
4. Generate certificate files from certbot
sudo certbot certonly --webroot --webroot-path=/var/www/mydomain.com -d mydomain.com email : [email protected]
5. Generate Strong Diffie-Hellman Group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Configure TLS/SSL on Web Server (Nginx)
1. Create a Configuration Snippet Pointing to the SSL Key and Certificate
sudo nano /etc/nginx/snippets/ssl-mydomain.com.conf
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
2. Create a Configuration Snippet with Strong Encryption Settings
sudo nano /etc/nginx/snippets/ssl-params.conf # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # disable HSTS header for now #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem;
3. Adjust the Nginx Configuration to Use SSL
sudo nano /etc/nginx/sites-available/mydomain.conf
server { listen 80; server_name mydomain.com; return 301 https://$server_name$request_uri; } server { # SSL configuration #listen 443 ssl http2 default_server; listen 443 ssl http2; server_name mydomain.com; root /var/www/mydomain.com; location ~ /.well-known { allow all; } include snippets/ssl-mydomain.com.conf; include snippets/ssl-params.conf; }
4. Restart Nginx
sudo service nginx restart
5. Access the domain
URL : mydomain.com
Set Up Auto Renewal
* Since certificate files are valid up to 90 days
1. Add to crontab
sudo crontab -e
15 3 * * * sudo /usr/bin/certbot renew --quiet --renew-hook "sudo /bin/systemctl reload nginx"