Documentation
  • Read Me
  • Amazon Web Services
  • Nginx
  • MySQL
  • PHP
  • Creation of two database instances
  • Installation of Drupal
  • Installation of CiviCRM
  • Installation of Let's Encrypt
  • Site backup
Powered by GitBook
On this page
  • Generate a certificate
  • Automated renewal for SSL certificates

Was this helpful?

Installation of Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority brought to users by the non-profit Internet Security Research Group (ISRG).

PreviousInstallation of CiviCRMNextSite backup

Last updated 6 years ago

Was this helpful?

In order to install Let's Encrypt on our EC2 instance, we follow instruction on

First we install git package

$ sudo apt-get install git

We download a clone of Let’s Encrypt from the in into /opt/letsencrypt

$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Generate a certificate

$ cd /opt/letsencrypt
$ sudo -H ./letsencrypt-auto certonly --standalone -d task.woezzon.com -d www.task.woezzon.com

We enter email address for urgent renewal and security notices: info@task.woezzon.com

All HTTP request will be redirect to HTTPS with a 

return 301 https://$host$request_uri;

Nginx final conf file

Our final Nginx conf file looks like

server {
    # Port used for the HTTPS
    listen 443 ssl;

    server_name  task.woezzon.com www.task.woezzon.com;

    # Location of certificates
    ssl_certificate /etc/letsencrypt/live/task.woezzon.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task.woezzon.com/privkey.pem; # managed by Certbot

    # To allow only the most secure SSL protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    # Drupal folder
    root /var/www/drupal;
    index index.php  index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
     }

    # Protect CiviCRM's private files
    location ~* ^/sites/(.*)/files/civicrm/(ConfigAndLog|templates_c|upload|custom) {
      deny all;
    }
}

server {
   # HTTP requests are redirected to HTTPS
   listen 80;
   server_name task.woezzon.com www.task.woezzon.com;
   return 301 https://$host$request_uri;
}

Automated renewal for SSL certificates

Installation of Certbot

In command line, we make

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Generate a certificate with Certbot

$ sudo certbot --nginx

and we follow instructions.

Renew certificate with Certbot

To renew certificate with Certbot, we type

$ sudo certbot renew --nginx

One advantage of renewing certificate in this way is that it will not require to stop and start Nginx. It will be reloaded on a successful renewal so that visitors to the site are automatically served the new certificate.

Automatic renewal

Certbot has a cron job which renew automatically certificate if expiration is within 30 days.

The cron job is located at /etc/cron.d/certbot

$ cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

This job will attempt to execute twice a day but renewal will only occur if expiration is within 30 days

To automatically renew the certificates, we shall install which automatically enable HTTPS on website deploying Lets'Encrypt certificates.

https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/
official GitHub repository
Certbot
https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginxcertbot.eff.org
https://absolutecommerce.co.uk/auto-renew-letsencrypt-nginx-certbotabsolutecommerce.co.uk