SSL

Let's Encrypt makes setting up SSL so easy, it should be a crime not to use it, so let's set it up. You should already have your domain name pointed at this server. If you don't, do that now. Done? Great, moving on.

Remember that dhparam last line from ssl_params in the last section? Diffie-Hellman key exchange is an added layer of protection on top of SSL. Say an attacker recorded encrypted traffic, and then somehow got ahold of your server's private key. With DH they still would not be able to decrypt the data.

tl;dr create dhparam.pem (this might take a while). You should still be operating as the root user.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Grab a copy of letsencrypt.

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Letsencrypt needs to serve files temporarily to verify domain ownership, among other things.

Switch to the web user and create a folder for letsencrypt to use.

su - web
mkdir letsencrypt
exit

Create a log directory for letsencrypt.

mkdir /var/log/letsencrypt

letsencrypt has a robust command-line interface, but creating a config file makes it easier to use and is nice to refer back to.

Create a configs directory for letsencrypt.

mkdir -p /etc/letsencrypt/configs

Create a config file for your domain (replace "EXAMPLE.com" with your domain name).

/etc/letsencrypt/configs/EXAMPLE.com.conf

domains = EXAMPLE.com email = [email protected] text = True authenticator = webroot webroot-path = /var/web/letsencrypt agree-tos = True

With the config in place, run letsencrypt (replace "EXAMPLE.com" with your domain name).

/opt/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/configs/EXAMPLE.com.conf certonly

Lets encrypt will verify domain ownership and create certificate files. When it completes, uncomment the ssl_certificate lines in your server config.

Uncomment these lines (replace "EXAMPLE.com" with your domain name).

/etc/nginx/sites-available/EXAMPLE.com.conf

ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;

Restart nginx.

service nginx restart

Letsencrypt certificates are only valid for 90 days. Out of an abundance of caution, create a cron job to refresh the certificates every two months.

Create a script to run letsencrypt (replace "EXAMPLE.com" with your domain name).

/usr/local/bin/renew-letsencrypt.sh

#!/bin/sh cd /opt/letsencrypt/ ./letsencrypt-auto --config /etc/letsencrypt/configs/EXAMPLE.com.conf certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0

Make the script executable.

chmod 755 /usr/local/bin/renew-letsencrypt.sh

Open your crontab editor.

crontab -e

Add a line to run renew-letsencrypt every two months.

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /usr/local/bin/renew-letsencrypt.sh

Save and exit.

results matching ""

    No results matching ""