Nginx Plugin During Early Beta
When Let’s Encryptt started their closed beta, their documentation warned that their Nginx plugin was experimental. Using it as the authenticator to obtain certificates seemed to work, but using it as the installer would almost certainly guarantee that your Nginx configuration would become a jumbled mess. But that automated installation isn’t useful for everyone, especially with the myriad of ways Nginx configuration files can be structured. What was really important was that Let’s Encrypt was successfully issuing free trusted SSL certificates through their automated system.
letsencrypt 0.4.0.dev0
Three months later, solidly into public beta and with certificates in need of renewal, I decided to give the Nginx Plugin another try. Since letsencrypt-auto doesn’t include the Nginx plugin, I ended up running the client in developer mode.
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto-source/letsencrypt-auto --os-packages-only ./bootstrap/dev/venv.sh
Activating the virtual env will allow you to run the client with just letsencrypt. One annoyance was that unlike the letsencrypt-auto wrapper that will ask for elevated privileges when needed, the client itself would just error and stop when attempting to write to directories like /var/log/letsencrypt or /etc/letsencrypt.
sudo -s source ./venv/bin/activate
Your prompt should now be prefixed by (venv)
(venv)root@ubuntu:~/letsencrypt#
Nginx 1.9.10 with Default Site Configuration
To keep things simple, I started with a fresh install of Nginx (1.9.10) and used the single server block provided by /etc/nginx/conf.d/default.conf. To have the Nginx plugin act as both authenticator and installer just include --nginx.
letsencrypt --nginx -d rudeotter.com --email [email protected]
If successful, you’ll be asked whether you’d like to make your site HTTPS only or if it should be available via HTTP as well. I chose Secure.
┌──────────────────────────────────────────────────────────────────────┐
│ Please choose whether HTTPS access is required or optional. │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ Easy Allow both HTTP and HTTPS access to these sites │ │
│ │ Secure Make all requests redirect to secure HTTPS access │ │
│ └──────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────┤
│ │
└──────────────────────────────────────────────────────────────────────┘IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected]. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/rudeotter.com/fullchain.pem. Your cert will expire on 2016-05-07. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Optionally Check the Certificate and Key
The certificate was successfully created (almost) effortlessly and placed in /etc/letsencrypt/live/yourdomain/. The certificate and key can be checked from the command line.
openssl x509 -in cert.pem -text -noout openssl rsa -in privkey.pem -check
Installation Results
The installation, however, didn’t really do what I expected. Rather than modify the server block configuration in default.conf, it added a server block to nginx.conf. This works just fine but you may want to move blocks to your site-specific file and do some additional customization anyway.
server {
server_name rudeotter.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/rudeotter.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rudeotter.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_trusted_certificate /etc/letsencrypt/live/rudeotter.com/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}This configuration scores an A on the Qualys SSL Server Test after generating DH parameters and specifying their location in ssl_dhparam. My preference is to stick with Mozilla’s SSL Config Generator.
Skipping Installation: Generate Certificates Only
The Nginx plugin worked perfectly for me as my authenticator and didn’t require temporarily stopping Nginx to use the standalone. That alone is enough to make me use it for creating and renewing my certificates. Luckily, it’s really easy to use the plugin for certificate generation only.
letsencrypt certonly --nginx -d rudeotter.com --email [email protected]
Nginx SSL Configuration using Let’s Encrypt Certificates
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/rudeotter.com/fullchain.pem;;
ssl_certificate_key /etc/letsencrypt/live/rudeotter.com/privkey.pem;;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/rudeotter.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
....
}Let’s Encrypt + Nginx: Three Months Into Beta from Rude Otter.
This post first appeared on Rude Otter | Web Apps With LEMP Stacks, please read the originial post: here
