Skip to content

Instantly share code, notes, and snippets.

Last active Apr 14, 2017
What would you like to do?
getting ssl with certbot

Free SSL with Certbot on Ubuntu

1. install certbot

sudo add-apt-repository ppa:certbot/certbot

2. obtain a cert

certbot certonly --standalone --email EMAIL -d -d

Certs will be saved to /etc/letsencrypt/live/

3. auto renewal

certbot renew --dry-run

4. dhparam

openssl dhparam -out dhparam.pem 4096

Move it to /etc/ssl/certs/ or any other place accessible by nginx.

5. update nginx configs

server {
  listen 443 ssl;

  # certificate settings
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;

  # ssl configs
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;

  # enable session resumption to improve https performance
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended >= 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # enable ocsp stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver valid=300s;
  resolver_timeout 10s;
  # enable hsts (please read about the consequences first)
  # add_header Strict-Transport-Security "max-age=15768000";

6. update ssl lib and restart nginx

sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service nginx upgrade
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment