Installation of Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority brought to users by the non-profit Internet Security Research Group (ISRG).
In order to install Let's Encrypt on our EC2 instance, we follow instruction on https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/
First we install git package
$ sudo apt-get install gitWe download a clone of Let’s Encrypt from the official GitHub repository in into /opt/letsencrypt
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencryptGenerate a certificate
$ cd /opt/letsencrypt
$ sudo -H ./letsencrypt-auto certonly --standalone -d task.woezzon.com -d www.task.woezzon.comAll HTTP request will be redirect to HTTPS with a
return 301 https://$host$request_uri;Nginx final conf file
Our final Nginx conf file looks like
server {
# Port used for the HTTPS
listen 443 ssl;
server_name task.woezzon.com www.task.woezzon.com;
# Location of certificates
ssl_certificate /etc/letsencrypt/live/task.woezzon.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/task.woezzon.com/privkey.pem; # managed by Certbot
# To allow only the most secure SSL protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# Drupal folder
root /var/www/drupal;
index index.php index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
# Protect CiviCRM's private files
location ~* ^/sites/(.*)/files/civicrm/(ConfigAndLog|templates_c|upload|custom) {
deny all;
}
}
server {
# HTTP requests are redirected to HTTPS
listen 80;
server_name task.woezzon.com www.task.woezzon.com;
return 301 https://$host$request_uri;
}
Automated renewal for SSL certificates
To automatically renew the certificates, we shall install Certbot which automatically enable HTTPS on website deploying Lets'Encrypt certificates.
Installation of Certbot
In command line, we make
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx Generate a certificate with Certbot
$ sudo certbot --nginxand we follow instructions.
Renew certificate with Certbot
To renew certificate with Certbot, we type
$ sudo certbot renew --nginxAutomatic renewal
Certbot has a cron job which renew automatically certificate if expiration is within 30 days.
The cron job is located at /etc/cron.d/certbot
$ cat /etc/cron.d/certbot
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
This job will attempt to execute twice a day but renewal will only occur if expiration is within 30 days
Last updated
Was this helpful?