Using Free SSL/TLS Certificates from Let’s Encrypt with NGINX
Also see our blog post from nginx.conf 2015, in which Peter Eckersley and Yan Zhu of the Electronic Frontier Foundation introduce the then-new Let’s Encrypt certificate authority.
It’s now a well-known fact that SSL encrypting of your website leads to higher search rankings and better security for your users. However, there are a number of barriers that have prevented website owners from adopting SSL. Two of the biggest barriers have been the cost and the manual processes involved in getting a certificate. But now, with Let’s Encrypt, this is no longer a concern. Let’s Encrypt makes SSL encryption freely available to everyone.
Let’s Encrypt is a free, automated, and open certificate authority. Yes, that’s right: SSL/TLS certificates for free. Certificates issued by Let’s Encrypt are trusted by most browsers today, including older browsers, such as Internet Explorer on Windows XP SP3. In addition, Let’s Encrypt is fully automated for both issuing and renewing certificates.
In this blog post, we’ll cover how to use the Let’s Encrypt client to generate RSA certificates and autonomously configure NGINX to use the newly issued certificates.
How Let’s Encrypt Works
Before issuing a certificate, Let’s Encrypt first validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client.
Prerequisites
Before starting with Let’s Encrypt, you’ll need a few prerequisites:
- Have NGINX or NGINX Plus installed.
- Own or control a registered domain name for the certificate. If you don’t have a registered domain name, you can use a domain name registrar, such as GoDaddy, dnsexit, etc.
- Create a DNS record that points your domain name to your server’s public IP address.
Now you can easily set up Let’s Encrypt with NGINX and NGINX Plus.
Note: In this blog post, we’re running Let’s Encrypt with open source NGINX on Ubuntu 16.04 Xenial.
1. Download the Let’s Encrypt Client
First, download the Let’s Encrypt client, certbot:
- Add the certbot repository:
$ add-apt-repository ppa:certbot/certbot
- Now install certbot:
$ apt-get update
$ apt-get install python-certbot-nginx
The Let’s Encrypt client is now ready to use.
2. Set up NGINX
Certbot can automatically configure SSL with NGINX by finding the correct server
block in the NGINX configuration. Certbot will look for the server_name
directive in the server block that matches the domain name you’re requesting a certificate for. We’ll be using www.example.com as the domain in this tutorial.
- Assuming you’re starting with a fresh NGINX install, create a configuration file named
www.example.com.conf
in the /etc/nginx/conf.d directory$ nano /etc/nginx/conf.d/www.example.com.conf
- Enter your domain name in the server_name directive in a server block
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
} - Save the file, verify the syntax of your configuration edits, and restart NGINX
$ nginx -t && nginx -s reload
3. Obtain the SSL certificate
Certbot has various plugins to generate SSL certificates. The NGINX Plugin will take care of re-configuring NGINX and reloading the configuration whenever necessary. To generate SSL certificates with the NGINX plugin, run the following command:
$ sudo certbot --nginx -d example.com -d www.example.com
Once the process has completed successfully, certbot will prompt you to configure your HTTPS settings, which includes entering your email address and agreeing to the terms of service of Let’s Encrypt. Once that’s completed, NGINX will reload with the new settings. Certbot will output a message stating that the SSL certificate generation is successful, along with the location of the certificate on your server.
Congratulations! You have successfully enabled https://example.com and https://www.example.com
-----------------------------------------------------------------------------------------------------------------------------
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com//privkey.pem
Your cert will expire on 2017-12-12.
Note: Let’s Encrypt certificates expire after 90 days. In this example, the certificate will expire on 2017-12-12. In the next section, we’ll talk about how to auto-renew certificates automatically.
Open up the NGINX configuration and take note of all the modifications. That way, you’ll know how to configure NGINX manually with SSL/TLS termination in the future.
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name example.com www.example.com;
listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
4. Automatic Renewal of Let’s Encrypt Certificates
Let’s Encrypt certificates expire in 90 days. It is encouraged to automatically renew your certificates when they expire. We’ll set up a cron
job to do this.
We start by opening a file called crontab
$ crontab -e
and we enter the certbot command we wish to run daily. In this blog post, we run the command every day at noon. The command will check to see if the certificate on the server is expired and renew it if it is.
0 12 * * * /usr/bin/certbot renew --quiet
Close the cron tab, and now all installed certificates will be automatically renewed and reloaded. --quiet
tells certbot not to output information.
Summary
We’ve installed the Let’s Encrypt agent to generate SSL certificates for a registered domain name. We’ve configured NGINX to use SSL certificates, and we’ve set up automatic certificate renewals. Now, you can set up Let’s Encrypt with NGINX, and have a simple, secure website up and running within minutes.
The post Using Free SSL/TLS Certificates from Let’s Encrypt with NGINX appeared first on NGINX.
Source: Using Free SSL/TLS Certificates from Let’s Encrypt with NGINX