> For the complete documentation index, see [llms.txt](https://task-devops.gitbook.io/documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://task-devops.gitbook.io/documentation/installation-of-lets-encrypt.md).

# Installation of Let's Encrypt

In order to install Let's Encrypt on our EC2 instance, we follow instruction on <https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/>

First we install **git** package

```
$ sudo apt-get install git
```

We download a clone of Let’s Encrypt from the [official GitHub repository](https://github.com/letsencrypt/letsencrypt) in into **/opt/letsencrypt**

```
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
```

### Generate a certificate

```
$ cd /opt/letsencrypt
$ sudo -H ./letsencrypt-auto certonly --standalone -d task.woezzon.com -d www.task.woezzon.com
```

{% hint style="info" %}
We enter email address  for urgent renewal and security notices: <info@task.woezzon.com>
{% endhint %}

{% hint style="success" %}
All HTTP request will be redirect to HTTPS with a&#x20;

```
return 301 https://$host$request_uri;
```

{% endhint %}

#### Nginx final conf file

Our final Nginx conf file looks like

```
server {
    # Port used for the HTTPS
    listen 443 ssl;

    server_name  task.woezzon.com www.task.woezzon.com;

    # Location of certificates
    ssl_certificate /etc/letsencrypt/live/task.woezzon.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task.woezzon.com/privkey.pem; # managed by Certbot

    # To allow only the most secure SSL protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    # Drupal folder
    root /var/www/drupal;
    index index.php  index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
     }

    # Protect CiviCRM's private files
    location ~* ^/sites/(.*)/files/civicrm/(ConfigAndLog|templates_c|upload|custom) {
      deny all;
    }
}

server {
   # HTTP requests are redirected to HTTPS
   listen 80;
   server_name task.woezzon.com www.task.woezzon.com;
   return 301 https://$host$request_uri;
}

```

### Automated renewal for SSL certificates

To automatically renew the certificates, we shall install [Certbot](https://certbot.eff.org/) which automatically enable HTTPS on website deploying Lets'Encrypt certificates.

#### Installation of Certbot

In command line, we make

```bash
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 
```

#### Generate a certificate with Certbot

```bash
$ sudo certbot --nginx
```

and we follow instructions.

#### Renew certificate with Certbot

To renew certificate with Certbot, we type

```
$ sudo certbot renew --nginx
```

{% hint style="info" %}
One advantage of renewing certificate in this way is that it will not require  to stop and start Nginx. It will be reloaded on a successful renewal so that visitors to the site are automatically served the new certificate.&#x20;
{% endhint %}

#### Automatic renewal

Certbot has a cron job which renew automatically certificate if expiration is within 30 days.

The cron job is located at **/etc/cron.d/certbot**

```
$ cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

```

This job will attempt to execute twice a day but renewal will only occur if expiration is within 30 days

##

{% embed url="<https://absolutecommerce.co.uk/auto-renew-letsencrypt-nginx-certbot>" %}

{% embed url="<https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx>" %}
