Apply for a #LetsEncrypt #SSL cert for an #NGINX server
Self-signed certs suck. They aren’t secure, and throw nasty security error messages when people access your website.
Let’s encrypt offers real, verifiable SSL certs, that give you that nice padlock in the URL, and most imporantly, they are perfectly secure. So, if you have NGINX running on Linux, here is how you get a SSL cert, and apply it to your server.
So, step 1; is to install the getssl tool, which you can do as follows;
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
Step 2, is create a config file for the domain
./getssl -c domain.com
Edit the config file using the pico editor (or other)
pico .getssl/domain.com/getssl.cfg
Make the following changes:
Uncomment CA="https://acme-v02.api.letsencrypt.org"
Edit the ACL line to say:
ACL=('/home/wwwroot/.well-known/acme-challenge')
By uncommenting the line CA=”https://acme-v02.api.letsencrypt.org” it means that you are using the live API, not the sandbox (Fake LE Intermediate and Root X1) CA.
The ACL must point to the location on disk where the root of your website is.
Then create the acme-challenge folder as follows
cd /home/wwwroot
mkdir .well-known
cd .well-known/
mkdir acme-challenge
Then apply for the cert as follows;
sudo ./getssl -d domain.com
Assuming that step ran completely, copy the retrieved cert and key to the nginx folder;
cd .getssl
cd domain.com/
sudo cp *.crt /etc/nginx/
sudo cp *.key /etc/nginx/
sudo nginx -s reload
The NGINX config should resemble the following:
server {
listen 443;
ssl_certificate /etc/nginx/domain.crt;
ssl_certificate_key /etc/nginx/domain.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/domain.access.log;
location / {
...
}
}
