# Installation of Let's Encrypt

In order to install Let's Encrypt on our EC2 instance, we follow instruction on <https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/>

First we install **git** package

```
$ sudo apt-get install git
```

We download a clone of Let’s Encrypt from the [official GitHub repository](https://github.com/letsencrypt/letsencrypt) in into **/opt/letsencrypt**

```
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
```

### Generate a certificate

```
$ cd /opt/letsencrypt
$ sudo -H ./letsencrypt-auto certonly --standalone -d task.woezzon.com -d www.task.woezzon.com
```

{% hint style="info" %}
We enter email address  for urgent renewal and security notices: <info@task.woezzon.com>
{% endhint %}

{% hint style="success" %}
All HTTP request will be redirect to HTTPS with a&#x20;

```
return 301 https://$host$request_uri;
```

{% endhint %}

#### Nginx final conf file

Our final Nginx conf file looks like

```
server {
    # Port used for the HTTPS
    listen 443 ssl;

    server_name  task.woezzon.com www.task.woezzon.com;

    # Location of certificates
    ssl_certificate /etc/letsencrypt/live/task.woezzon.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task.woezzon.com/privkey.pem; # managed by Certbot

    # To allow only the most secure SSL protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    # Drupal folder
    root /var/www/drupal;
    index index.php  index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
     }

    # Protect CiviCRM's private files
    location ~* ^/sites/(.*)/files/civicrm/(ConfigAndLog|templates_c|upload|custom) {
      deny all;
    }
}

server {
   # HTTP requests are redirected to HTTPS
   listen 80;
   server_name task.woezzon.com www.task.woezzon.com;
   return 301 https://$host$request_uri;
}

```

### Automated renewal for SSL certificates

To automatically renew the certificates, we shall install [Certbot](https://certbot.eff.org/) which automatically enable HTTPS on website deploying Lets'Encrypt certificates.

#### Installation of Certbot

In command line, we make

```bash
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 
```

#### Generate a certificate with Certbot

```bash
$ sudo certbot --nginx
```

and we follow instructions.

#### Renew certificate with Certbot

To renew certificate with Certbot, we type

```
$ sudo certbot renew --nginx
```

{% hint style="info" %}
One advantage of renewing certificate in this way is that it will not require  to stop and start Nginx. It will be reloaded on a successful renewal so that visitors to the site are automatically served the new certificate.&#x20;
{% endhint %}

#### Automatic renewal

Certbot has a cron job which renew automatically certificate if expiration is within 30 days.

The cron job is located at **/etc/cron.d/certbot**

```
$ cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

```

This job will attempt to execute twice a day but renewal will only occur if expiration is within 30 days

##

{% embed url="<https://absolutecommerce.co.uk/auto-renew-letsencrypt-nginx-certbot>" %}

{% embed url="<https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://task-devops.gitbook.io/documentation/installation-of-lets-encrypt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.