How to secure Nginx with Let's Encrypt on  Virtual Private Machine?

 

In today's business world a lot of people are using the website and web hosting services for their business and the reason behind it is that it is one of the easiest ways where one can easily get connected with the people around the world. Moreover today most of the people like to go with VPS server hosting option and the reason behind it is that it is available at very less price when compared to dedicated server and also get better hosting features from unlimited plans.

 

Using VPS server for your business gives you a lot of advantages and when you buy VPS server you will be provided with root access to your server. So with the help of root access, you can easily install, run, edit and delete any software, files, and data. So today if you are already using a web hosting solution for your business and now if you are looking for information on how to secure Nginx with Let's Encrypt on VPS hosting then here is the complete information on it.

 

Let’s Encrypt is a free and also an opensource certificate authority which is developed by the Internet Security Research Group (ISRG). And today if any certificates are issued by Let's Encrypt then it is trusted by most of the browsers.

 

Follow the below steps to secure Nginx with Let's Encrypt on VPS hosting:

 

>>>> Install Certbot

 

Certbot is a service which is written in python that can automate the tasl of obtaining and renewing the Let's Encrypt SSL certificates and also configures the web servers to use them.

 

--->>> So first you need to install the software-properties-common package in which you get the add-apt-repository tool which is needed for adding additional PPAs. So you need to update the system with the latest packages and install the package by using the below command

 

$      sudo apt update

$      sudo apt install software-properties-common

 

--->>> Once after installation you need to add the certbot PPA repository to your system so use the below command-

 

$      sudo add-apt-repository ppa:certbot/certbot

 

--->>> Next you need to update the packages list and you need to install the certbot package

 

$    sudo apt update

$    sudo apt install certbot

 

>>>> Generate Strong Dh (Diffie-Hellman) Group

 

It is a method of secure exchanging of cryptographic keys over an unsecured communication channel. So to generate a new ser of 2048 bit DH parameters to strengthen the security use the below command-

 

$      sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

 

>>>> Obtaining an SSL certificate

 

To obtain an SSL certificate to your domain you need to use Webroot plugin where it works by creating a temporary file for the requested domain in ${webroot-path}/.well-known/acme-challenge directory and Let's Encrypt validation server makes HTTP requests to validate that the DNS for the requested domain.

 

--->>> Use the below command to create the directory and make it writable for the Nginx server

 

$     mkdir -p /var/lib/letsencrypt/.well-known

$     chgrp www-data /var/lib/letsencrypt

$      chmod g+s /var/lib/letsencrypt

 

--->>> Now to avoid the duplicating code you need to create the following two snippets where you need to include all your Nginx server block files-

 

                    /etc/nginx/snippets/letsencrypt.conf

 

location ^~ /.well-known/acme-challenge/ {

 allow all;

 root /var/lib/letsencrypt/;

 default_type "text/plain";

 try_files $uri =404;

}

 

                               /etc/nginx/snippets/ssl.conf

 

ssl_dhparam /etc/ssl/certs/dhparam.pem;

 

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_session_tickets off;

 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers on;

 

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=150s;

resolver_timeout 45s;

 

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

 

--->>> The above snippet enables the OCSP Stapling, HTTP Strict Transport Security (HSTS) and also enforces few security?focused HTTP headers.

 

--->>> Once after creating the snippets you need to open the domain server block and in there you need to add the letsencrypt.conf snippet-

 

                    /etc/nginx/sites-available/yourdomain.com.conf

 

server {

 listen 80;

 server_name yourdomain.com www.yourdomain.com;

 

 include snippets/letsencrypt.conf;

}

 

--->>>  Next you need to activate the server block by creating a symbolic link from sites-available to sites-enabled

 

$     sudo ln -s /etc/nginx/sites-available/yourdomain.com.conf /etc/nginx/sites-enabled/yourdomain.com.conf

 

--->>> Next you need to reload the Nginx configuration for changes to take effect

 

$    sudo systemctl reload nginx

 

--->>> Now you can run Certbot with the webroot plugin and also obtain the SSL certificate files by issusing-

 

$    sudo certbot certonly --agree-tos --email This email address is being protected from spambots. You need JavaScript enabled to view it. --webroot -w /var/lib/letsencrypt/ -d yourdomain.com -d www.yourdomain.com

 

--->>> Now that the SSL certificate is successfully obtained, certbot will display the following message

 

Output

 

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

  /etc/letsencrypt/live/yourdomain.com/fullchain.pem

  Your key file has been saved at:

  /etc/letsencrypt/live/yourdomain.com/privkey.pem

  Your cert will expire on 2018-04-23. To obtain a new or tweaked

  version of this certificate in the future, simply run certbot

  again. To non-interactively renew *all* of your certificates, run

  "certbot renew"

- If you like Certbot, please consider supporting our work by:

 

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

  Donating to EFF:                    https://eff.org/donate-le

 

--->>> Once after having the certificate files you can edit your domain server block

 

                        /etc/nginx/sites-available/yourdomain.com.conf

 

server {

   listen 80;

   server_name www.yourdomain.com yourdomain.com;

 

   include snippets/letsencrypt.conf;

   return 301 https://$host$request_uri;

}

 

server {

   listen 443 ssl http2;

   server_name www.yourdomain.com;

 

   ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

   ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

   include snippets/ssl.conf;

   include snippets/letsencrypt.conf;

 

   return 301 https://yourdomain.com$request_uri;

}

 

server {

   listen 443 ssl http2;

   server_name yourdomain.com;

 

   ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

   ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

   include snippets/ssl.conf;

   include snippets/letsencrypt.conf;

 

   # . . . other code

}

 

--->>> By using the above configuration you are forcing HTTPS and redirecting the www version of your domain to non www version.

 

--->>> So  now you need to restart the Nginx service so use this command-

 

$       sudo systemctl reload nginx

 

>>>> SSL certificate auto renewal

 

This Let’s Encrypt’s certificates are valid only for 90 days, so to renew it automatically before they expire you can create a cronjob which runs twice a day will automatically renew any certificate 30 days before its expiration.

 

--->>> Since you are using the certbot webroot plug-in during certificate renewal you also need to reload the Nginx service.  Add --renew-hook "systemctl reload nginx" to the /etc/cron.d/certbot file so it looks like this:

 

                           /etc/cron.d/certbot

 

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

 

--->>> Once done. Now to test the renewal process you can use the certbot --dry-run switch

 

$    sudo certbot renew --dry-run


Compare and choose the best hosting solution for your business from HostingRaja India's #1 web hosting provider. Here at HostingRaja we provide best in class web hosting solution with amazing features, offer and discounts. All our servers are highly secured with best in class security features. Not only that we also provide 24/7 customer support via phone, chat, email and tickets system with 99.9% server uptime.