Free SSL with Certbot on Ubuntu
1. install certbot
sudo add-apt-repository ppa:certbot/certbot
2. obtain a cert
certbot certonly --standalone --email EMAIL -d example.com -d www.example.com
Certs will be saved to /etc/letsencrypt/live/example.com/
3. auto renewal
certbot renew --dry-run
4. dhparam
openssl dhparam -out dhparam.pem 4096
Move it to /etc/ssl/certs/ or any other place accessible by nginx.
5. update nginx configs
server {
listen 443 ssl;
server_name example.com;
# certificate settings
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# ssl configs
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM EDH+AESGCM AES256+EECDH AES256+EDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4';
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# enable session resumption to improve https performance
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended >= 2048 bits
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# enable ocsp stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# enable hsts (please read about the consequences first)
# add_header Strict-Transport-Security "max-age=15768000";
}
6. update ssl lib and restart nginx
sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service nginx upgrade