Installation of Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority brought to users by the non-profit Internet Security Research Group (ISRG).

In order to install Let's Encrypt on our EC2 instance, we follow instruction on https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/

First we install git package

$ sudo apt-get install git

We download a clone of Let’s Encrypt from the official GitHub repository in into /opt/letsencrypt

$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Generate a certificate

$ cd /opt/letsencrypt
$ sudo -H ./letsencrypt-auto certonly --standalone -d task.woezzon.com -d www.task.woezzon.com

We enter email address for urgent renewal and security notices: info@task.woezzon.com

All HTTP request will be redirect to HTTPS with a

return 301 https://$host$request_uri;

Nginx final conf file

Our final Nginx conf file looks like

server {
    # Port used for the HTTPS
    listen 443 ssl;

    server_name  task.woezzon.com www.task.woezzon.com;

    # Location of certificates
    ssl_certificate /etc/letsencrypt/live/task.woezzon.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task.woezzon.com/privkey.pem; # managed by Certbot

    # To allow only the most secure SSL protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    # Drupal folder
    root /var/www/drupal;
    index index.php  index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
     }

    # Protect CiviCRM's private files
    location ~* ^/sites/(.*)/files/civicrm/(ConfigAndLog|templates_c|upload|custom) {
      deny all;
    }
}

server {
   # HTTP requests are redirected to HTTPS
   listen 80;
   server_name task.woezzon.com www.task.woezzon.com;
   return 301 https://$host$request_uri;
}

Automated renewal for SSL certificates

To automatically renew the certificates, we shall install Certbot which automatically enable HTTPS on website deploying Lets'Encrypt certificates.

Installation of Certbot

In command line, we make

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Generate a certificate with Certbot

$ sudo certbot --nginx

and we follow instructions.

Renew certificate with Certbot

To renew certificate with Certbot, we type

$ sudo certbot renew --nginx

One advantage of renewing certificate in this way is that it will not require to stop and start Nginx. It will be reloaded on a successful renewal so that visitors to the site are automatically served the new certificate.

Automatic renewal

Certbot has a cron job which renew automatically certificate if expiration is within 30 days.

The cron job is located at /etc/cron.d/certbot

$ cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

This job will attempt to execute twice a day but renewal will only occur if expiration is within 30 days

https://absolutecommerce.co.uk/auto-renew-letsencrypt-nginx-certbotabsolutecommerce.co.uk

https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginxcertbot.eff.org

PreviousInstallation of CiviCRM NextSite backup

Last updated 7 years ago

Was this helpful?

hashtagGenerate a certificate

hashtagNginx final conf file

hashtagAutomated renewal for SSL certificates

hashtagInstallation of Certbot

hashtagGenerate a certificate with Certbot

hashtagRenew certificate with Certbot

hashtagAutomatic renewal

hashtag