Overview

Configure the SSL for the domain
mydomain.com

Set up the web root at
/var/www/mydomain.com

Install Certbot

1. Install Certbot

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Obtain SSL Certificate

1. Create /.well-known in web root path of your site

sudo mkdir /var/www/mydomain.com/.well-known

2. Update your site nginx configuration

sudo nano /etc/nginx/sites-available/mydomain.conf

server {
server_name mydomain.com;
root /var/www/mydomain.com;

...

  # Add this to your server block
  location ~ /.well-known {
    allow all;
  }

...
}

3. Restart NGINX

sudo service nginx restart

4. Generate certificate files from certbot

sudo certbot certonly --webroot --webroot-path=/var/www/mydomain.com -d mydomain.com

email : [email protected]

5. Generate Strong Diffie-Hellman Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Configure TLS/SSL on Web Server (Nginx)

1. Create a Configuration Snippet Pointing to the SSL Key and Certificate

sudo nano /etc/nginx/snippets/ssl-mydomain.com.conf

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

2. Create a Configuration Snippet with Strong Encryption Settings

sudo nano /etc/nginx/snippets/ssl-params.conf

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# disable HSTS header for now
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

3. Adjust the Nginx Configuration to Use SSL

sudo nano /etc/nginx/sites-available/mydomain.conf

server {
  listen 80;

  server_name mydomain.com;
  return 301 https://$server_name$request_uri;
}

server {
  # SSL configuration

  #listen 443 ssl http2 default_server;
  listen 443 ssl http2;

  server_name mydomain.com;
  root /var/www/mydomain.com;

  location ~ /.well-known {
    allow all;
  }

  include snippets/ssl-mydomain.com.conf;
  include snippets/ssl-params.conf;
}

4. Restart Nginx

sudo service nginx restart

5. Access the domain
URL : mydomain.com

Set Up Auto Renewal

* Since certificate files are valid up to 90 days

1. Add to crontab

sudo crontab -e

15 3 * * * sudo /usr/bin/certbot renew --quiet --renew-hook "sudo /bin/systemctl reload nginx"