Linux Tactic

Secure Your Website with Lets Encrypt SSL and Nginx

How to Secure Your Website with Lets Encrypt SSL Certificates and Nginx

The online world is a dangerous place, and your website can be an easy target for attackers looking to exploit its vulnerabilities. One of the most important steps you can take to protect your website is to secure it with an SSL certificate.

SSL certificates protect your website from attacks that can compromise sensitive information you collect from users, such as passwords and credit card numbers. An SSL certificate also ensures your website meets Googles requirements for secure browsing.

One way to obtain an SSL certificate is through Lets Encrypt, a Certificate Authority (CA) that provides free SSL certificates, eliminating the need to pay for an expensive certificate. In this article, well show you how to obtain and secure a Lets Encrypt SSL certificate for your website using Nginx.

Obtaining and Securing a Lets Encrypt SSL Certificate

Installing Certbot

The first step in obtaining a Lets Encrypt SSL certificate is to install Certbot, a tool that automates the certificate request process. Certbot is available on most linux distributions and can be installed through your package manager or downloaded from the Certbot website.

To get started, open your terminal and type the following command to add the Certbot PPA repository:

“`sudo add-apt-repository ppa:certbot/certbot“`

Then update your package list:

“`sudo apt-get update“`

Finally, install Certbot:

“`sudo apt-get install certbot“`

Generate a Strong Dh (Diffie-Hellman) Group

After installing Certbot, the next step is to generate a strong Diffie-Hellman (DH) group. DH is a cryptographic protocol used to secure your SSL certificate.

To generate a strong DH group, open your terminal and type the following command:

“`sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048“`

It may take a while to generate the DH group, so be patient. A 2048-bit DH group is considered secure, but if you want to further improve security, you can generate a 4096-bit DH group.

Obtaining a Lets Encrypt SSL Certificate

With Certbot and a strong DH group installed, youre now ready to obtain your Lets Encrypt SSL certificate. The easiest way to do this is to use the Webroot plugin, which allows Lets Encrypt to verify your domain ownership without requiring access to your web server.

First, create a directory in your web root folder where the verification files will be stored. For example, if your web root folder is “`/var/www/html/“`, create a directory called “`/.well-known/acme-challenge/“`:

“`sudo mkdir -p /var/www/html/.well-known/acme-challenge“`

Next, run Certbot with the Webroot plugin and provide the domain name and web root directory:

“`sudo certbot certonly –webroot -w /var/www/html -d example.com -d www.example.com“`

This command will request the SSL certificate for example.com and www.example.com.

The certificate files will be stored in the “`/etc/letsencrypt/live/“` directory.

Auto-Renewing Lets Encrypt SSL Certificate

Lets Encrypt SSL certificates expire every 90 days, so its important to set up automatic renewal to ensure your website remains secure. Certbot provides a simple way to do this using a cron job.

Open your terminal and type the following command to edit the crontab:

“`sudo crontab -e“`

Then add the following line to the bottom of the file:

“`15 3 * * * /usr/bin/certbot renew –quiet“`

This cron job will run Certbot every day at 3:15 am and renew any SSL certificates that are due to expire within the next 30 days.

Prerequisites for Securing Nginx with Lets Encrypt

Domain Name and Nginx Installation

To secure your website with Lets Encrypt SSL certificates using Nginx, youll need a domain name and an installation of Nginx. Nginx is a lightweight web server thats popular for its performance and scalability.

If you dont have Nginx installed, you can do so through your package manager or by downloading it from the Nginx website.

Server Block for Domain

Finally, youll need to set up a server block for your domain in Nginx. A server block is a configuration file that specifies how Nginx should respond to requests for a particular domain.

To set up a server block for your domain, create a new file in the “`/etc/nginx/sites-available/“` directory called “`example.com“`:

“`sudo nano /etc/nginx/sites-available/example.com“`

Then add the following configuration code:

“`

server {

listen 80;

listen [::]:80;

server_name example.com www.example.com;

location / {

return 301 https://$server_name$request_uri;

}

}

“`

This code redirects all HTTP requests to HTTPS. Save and close the file, then create a symbolic link in the “`/etc/nginx/sites-enabled/“` directory:

“`sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/“`

Finally, restart Nginx to apply the changes:

“`sudo systemctl restart nginx“`

Conclusion

Securing your website with Lets Encrypt SSL certificates and Nginx is an important step in protecting your users sensitive information and maintaining Googles trust. By following the steps outlined in this article, you can obtain and secure a Lets Encrypt SSL certificate for your website and set up auto-renewal to ensure your website remains secure.

Remember to always keep your software up-to-date and regularly check your website for vulnerabilities to stay one step ahead of potential attackers.

Mapping HTTP Requests and Configuring Nginx for Lets Encrypt

Once youve obtained your Lets Encrypt SSL certificate, the next step is to configure Nginx to serve the new, secure HTTPS version of your website. Here’s how to do it.

Create Snippets for Lets Encrypt and SSL

Snippets are reusable pieces of code that you can include in your Nginx server blocks to simplify configuration. Create two snippets: “`letsencrypt.conf“` for redirecting HTTP traffic and “`ssl.conf“` for configuring SSL.

Create the “`/etc/nginx/snippets/letsencrypt.conf“` file:

“`sudo nano /etc/nginx/snippets/letsencrypt.conf“`

Then add the following code:

“`

# Let’s Encrypt verification

location ^~ /.well-known/acme-challenge/ {

allow all;

root /var/www/html;

default_type “text/plain”;

try_files $uri =404;

}

# Redirect all HTTP traffic to HTTPS

server {

listen 80;

listen [::]:80;

server_name example.com www.example.com;

return 301 https://$server_name$request_uri;

}

“`

Create the “`/etc/nginx/snippets/ssl.conf“` file:

“`sudo nano /etc/nginx/snippets/ssl.conf“`

Then add the following code:

“`

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_session_cache shared:SSL:50m;

ssl_session_timeout 1d;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection “1; mode=block”;

“`

Include Snippets in Domain Server Block

After creating the snippets, you can include them in your domain server block. Open the “`/etc/nginx/sites-available/example.com“` file:

“`sudo nano /etc/nginx/sites-available/example.com“`

Then add the snippets to the file:

“`

server {

listen 80;

listen [::]:80;

server_name example.com www.example.com;

include snippets/letsencrypt.conf;

return 301 https://$server_name$request_uri;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name example.com www.example.com;

include snippets/ssl.conf;

include snippets/letsencrypt.conf;

root /var/www/html;

index index.html;

location / {

try_files $uri $uri/ =404;

}

}

“`

Note the changes to the server block: 443 is the HTTPS port, “`ssl“` enables SSL, and “`http2“` enables the HTTP/2 protocol.

Enable Server Block File

Now that your domain server block is set up, you need to enable it. Create a symbolic link to the “`sites-enabled“` directory:

“`sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/“`

Then restart Nginx to apply the changes:

“`sudo systemctl restart nginx“`

Edit Domain Server Block for HTTPS and Non-www Version

By default, your SSL certificate is valid for both “`www“` and non-“`www“` versions of your domain. However, you should set one of them as the primary version and redirect the other to it.

For example, if you prefer the non-“`www“` version, redirect “`www“` to it. Open the “`/etc/nginx/sites-available/example.com“` file:

“`sudo nano /etc/nginx/sites-available/example.com“`

Then edit the server block for “`example.com“` to include a “`www“` prefix catch-all:

“`

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name example.com;

return 301 https://www.example.com$request_uri;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name www.example.com;

include snippets/ssl.conf;

include snippets/letsencrypt.conf;

root /var/www/html;

index index.html;

location / {

try_files $uri $uri/ =404;

}

}

“`

Note that the “`server_name“` directive is now divided between two server blocks.

Obtaining and

Auto-Renewing Lets Encrypt SSL Certificates with Certbot on Ubuntu 18.04 Using Nginx

Certbot is a free and open source software that automates the process of obtaining, installing, and renewing SSL/TLS certificates from Lets Encrypt. Here is a step-by-step guide on how to obtain and auto-renew Let’s Encrypt SSL certificates using Certbot on Ubuntu 18.04 with Nginx.

Prerequisites

Before you start, you need a domain name and an installation of Nginx. You also need to open port 80 on your firewall to allow Lets Encrypt to verify your domain ownership.

Certbot Installation

First, add the Certbot PPA:

“`sudo add-apt-repository ppa:certbot/certbot“`

Then update your package list:

“`sudo apt-get update“`

Finally, install Certbot for Nginx:

“`sudo apt-get install python-certbot-nginx“`

DH Parameter Generation

Generate a strong Diffie-Hellman (DH) parameter:

“`sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048“`

Obtaining SSL Certificate with Webroot Plugin

Use Certbot with the Webroot plugin to obtain your SSL certificate:

“`

sudo certbot –nginx -d example.com -d www.example.com

–email [email protected]

–agree-tos

–redirect

–webroot-path /var/www/html

“`

This command requests the SSL certificate for “`example.com“` and “`www.example.com“`, with an email address for renewal reminders, agreement to the terms of service, a redirect to HTTPS, and the web root path for the Webroot plugin. The certificate files will be stored in the “`/etc/letsencrypt/live/“` directory.

Editing Domain Server Block for HTTPS and Non-www Version

To configure Nginx to serve your SSL certificate, modify the server block for “`example.com“` as follows:

“`

server {

listen 80;

listen [::]:80;

server_name example.com www.example.com;

return 301 https://$host$request_uri;

}

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name example.com www.example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

include snippets/ssl-params.conf;

root /var/www/html;

index index.html;

location / {

try_files $uri $uri/ =404;

}

}

“`

Auto-Renewing SSL Certificate

Once you’ve obtained your SSL certificate, you’ll want to set up auto-renewal. Certbot provides a renewal script that runs twice a day and automatically renews any certificates that expire within 30 days.

You don’t need to do anything to set it up – it’s added automatically to your crontab during the Certbot installation.

Conclusion

Securing your website with Lets Encrypt SSL certificates is an essential step in ensuring user confidence in your website and protecting sensitive data. By following the steps outlined in this article, you can configure Nginx to serve your SSL certificates, and set up auto-renewal to ensure your website remains secure.

Remember to regularly check your website for vulnerabilities, and always keep your software up-to-date. Securing your website with Let’s Encrypt SSL certificates and configuring Nginx is crucial to protect user data and ensure trust.

In this article, we covered the steps for obtaining and securing a Let’s Encrypt SSL certificate, mapping HTTP requests, and configuring Nginx. We also provided a step-by-step guide for obtaining and auto-renewing Let’s Encrypt SSL certificates using Certbot on Ubuntu 18.04 with Nginx.

By following these steps and keeping your software up to date, you can guarantee a secure browsing experience for your users and maintain Google’s requirements. Remember to prioritize security and regularly check for vulnerabilities to stay ahead of potential attackers.

Popular Posts