Skip to content

Instantly share code, notes, and snippets.

@rictorres
Last active Apr 14, 2017
Embed
What would you like to do?
getting ssl with certbot

Free SSL with Certbot on Ubuntu

1. install certbot

sudo add-apt-repository ppa:certbot/certbot

2. obtain a cert

certbot certonly --standalone --email EMAIL -d example.com -d www.example.com

Certs will be saved to /etc/letsencrypt/live/example.com/

3. auto renewal

certbot renew --dry-run

4. dhparam

openssl dhparam -out dhparam.pem 4096

Move it to /etc/ssl/certs/ or any other place accessible by nginx.

5. update nginx configs

server {
  listen 443 ssl;
  server_name example.com;

  # certificate settings
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  # ssl configs
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM EDH+AESGCM AES256+EECDH AES256+EDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4';

  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;

  # enable session resumption to improve https performance
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended >= 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # enable ocsp stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
  
  # enable hsts (please read about the consequences first)
  # add_header Strict-Transport-Security "max-age=15768000";
}

6. update ssl lib and restart nginx

sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service nginx upgrade
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment