Free Trusted SSL Certificates using Let’s Encrypt

Trust is a hard thing to earn. Well, this proved right when I wanted to generate a free Trusted SSL certificate for a domain. Let’s Encrypt standing by the name literally made me encrypt the certs. Finally the domain is secure. And here are the steps to make your domain secure using Let’s Encrypt.

Note: AWS, GoDaddy, Nginx, Let’s Encrypt, Linux Ubuntu 16.04

GoDaddy configuration:

 

1. Obtain Domain
2. Create a A-Name and forward it to IP address where the Website/Application is hosted. Make sure the IP is elastic.

Note: It may take few minutes for the IP address mapping to propagate in web

Let’s Encrypt Certbot Installation:

 

sudo apt-get install git

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

cd /opt/letsencrypt

Create Certbot certificate (Manual):

 

Note: There were a few version mismatch issues with automatic nginx/apache certbot certificate creation methods while creating this blog. If it works, then all these configurations are done automatically.

sudo certbot-auto certonly --email user@example.com -a manual -d example.com

Now, there is a challenge that needs to fullfilled ( kind of pre-SSL simulation ). You need to create a temporary file (temporary file name) with a temporary content and make it available in the domain URL where the site hosting is to be done.

Example:

http://example.com/.well-known/acme-challenge/askdjesdCbnccckdlpaChH

Nginx configuration for acme-challenge:

 

server {
  listen 80;
  server_name example.com;
  root /var/www/html;
  location ^~ /.well-known/ {
    default_type "text/plain";
    auth_basic off;
    root /var/www/html; 
    allow all;
  }
}

This will create 4 new files in /etc/letsencrypt/live/example.com directory. These certificates are valid only for 90 days and needs to be renewed periodically.

cert.pem - Certificate file (example.com)
chain.pem - CA chain file
fullchain.pem - File containing CA Chain and the certificate for the domain
privkey.pem - Certificate's Private key

Renewing Let’s Encrypt Certificates:

 

cd /opt/letsencrypt

sudo certbot-auto certonly --renew-by-default --email user@example.com -a manual -d example.com

Complete Nginx SSL configuration:

 

server {
  listen 443 ssl;
  server_name example.com
  sendfile on; 
  charset utf-8;
  client_max_body_size 750M;
  uwsgi_read_timeout 8000s;
  uwsgi_send_timeout 8000s;
  client_header_timeout 8000s;
  proxy_read_timeout 8000s;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  ##
   # Gzip Settings
  ##
  gzip on;
  gzip_http_version 1.1;
  gzip_disable "MSIE [1-6]\.";
  gzip_min_length 1100;
  gzip_vary on;
  gzip_proxied expired no-cache no-store private auth;
  gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_comp_level 9;

  root /var/www/html;

  index index.html index.htm index.nginx-debian.html;

  ## 
   # Main file index.html
  ##
  location / {
    autoindex on;
    root /var/www/html;
    try_files $uri $uri/ $uri.html $uri.txt /index.html =404;
   }
}

Sources:

 

1. https://letsencrypt.org/how-it-works/

2. https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates

3 . https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8

4. https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04