configure ssl with letsencrypt

letsencrypt-steps.txt

##configure ssl with letsencrypt##

1. clone from git :
	
       sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

2. stop nginx service:

       sudo systemctl stop nginx.service


3. goto letsencrypt dir:

       cd /opt/letsencrypt


4. now, standalone certonly command to generate certificate

       ./letsencrypt-auto certonly --standalone


5. goto etc/nginx/sites-enabled/nginx.conf
   Then edit the file. Demo file is multi-app-nginx.conf. Replace your own certificate path in "ssl_certificate" block.

       
          ssl_certificate /etc/letsencrypt/live/app1.inov.io/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/app1.inov.io-0001/privkey.pem;


6. Paste the following fields under the ssl_certificate block
         
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";


7. Restart nginx service:

       
        sudo systemctl restart nginx.service


8. When you need to renew the certificate later then just use step 2, 3, 4 and 7. 

############################################################################################
############################################################################################

multi-app-nginx.conf

server {
    listen 80;
    server_name app1.domain;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name app1.domain;

    ssl_certificate /etc/letsencrypt/live/app1.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app1.domain/privkey.pem;

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    location ~ /.well-known {
                allow all;
}

    location / {
        alias /home/ubuntu/client-app;

        proxy_pass http://localhost:4000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
}

}


server {
    listen 80;
    server_name api.app1.domain;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api.app1.domain;

    ssl_certificate /etc/letsencrypt/live/api.app1.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.app1.domain/privkey.pem;

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    location ~ /.well-known {
                allow all;
}
    location / {
        alias /home/ubuntu/api-server;
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
}

}


server {
    listen 80;
    server_name admin.app1.domain;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name admin.app1.domain;

    ssl_certificate /etc/letsencrypt/live/admin.app1.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.app1.domain/privkey.pem;

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";


    location ~ /.well-known {
                allow all;
}
    location / {
        alias /home/ubuntu/dashboard;
        proxy_pass http://127.0.0.1:4050;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
}

}