How To Use LetsEncrypt SSL With Nginx On Ubuntu Server

by | Dec 16, 2015 | How-To/Tips, Security, Wordpress

Using SSL encryption on your website or blogs to protect user’s privacy  is not a bad idea. In fact, Google recommends it.

Google announced few months back, that if you migrate to your websites and blogs to HTTPS, you may get a small bump on its search engine result pages.

Adding SSL encryption also cost money depending on the certificate you want to install. For those who are not making enough money from their websites or blogs but still want to add SSL certificates can use LetsEncrypt.

LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services.

For more about who behind this, check their page here.

This brief tutorial is going to show you how to easily get LetsEncrypt’s certificates working on Ubuntu for your Nginx webservers.

The first thing to do is to clone the git project to your server. This means downloading the required packages from git to your server.

If you don’t already have git installed, you must install it first. To do that, run the commands below.

sudo apt-get install git

Next, clone LetsEncrypt git project to your server.

git clone https://github.com/letsencrypt/letsencrypt

Then change into the project folder.

cd letsencrypt

When you’re there, run the commands below to generate a SSL certificate for your website or blogs.

./letsencrypt-auto certonly -a standalone -d example.com -d www.example.com

LetsEncrypt puts its keys in this directory /etc/letsencrypt

The final thing to do after generating the certificates is to configure Nginx webserver to use the cert.

More on installing certificate on Ubuntu server for Nginx can be found on this blog post

How To Install SSL Certificates On Nginx Web Server On Ubuntu 15.04

Example configuration for Nginx webserver is as followed:

listen 443 ssl spdy;
listen [::]:443 ssl spdy;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
#
#
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
#
#
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
#
#
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;

Save your configuration and restart Nginx webserver.

That’s it! If everything is setup correctly, your site should be SSL enabled for free.

Enjoy!