Skip to content

Instantly share code, notes, and snippets.

Last active April 14, 2017 12:55
What would you like to do?
getting ssl with certbot

Free SSL with Certbot on Ubuntu

1. install certbot

sudo add-apt-repository ppa:certbot/certbot

2. obtain a cert

certbot certonly --standalone --email EMAIL -d -d

Certs will be saved to /etc/letsencrypt/live/

3. auto renewal

certbot renew --dry-run

4. dhparam

openssl dhparam -out dhparam.pem 4096

Move it to /etc/ssl/certs/ or any other place accessible by nginx.

5. update nginx configs

server {
  listen 443 ssl;

  # certificate settings
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;

  # ssl configs
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;

  # enable session resumption to improve https performance
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended >= 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # enable ocsp stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver valid=300s;
  resolver_timeout 10s;
  # enable hsts (please read about the consequences first)
  # add_header Strict-Transport-Security "max-age=15768000";

6. update ssl lib and restart nginx

sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service nginx upgrade
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment