Tutorial: Install and set up Let’s Encrypt SSL under Ubuntu / DEBIAN and Nginx

Tutorial: Install and set up under Ubuntu / DEBIAN and NginxLet's Encrypt SSL

As a public and free SSL project, Let's Encrypt is gradually spread and used by the majority of users. It was initiated by members of Mozilla, Cisco, Akamai, IdenTrust, EFF and other organizations. The main purpose is to promote the transition of websites from HTTP to HTTPS. In the process, more and more merchants have joined and sponsored support.

The emergence of Let’s Encrypt’s free SSL certificate will also have a big impact on traditional merchants that provide paid SSL certificate services. So far, Let's Encrypt has been cross-signed by IdenTrust, which means it can be applied and supported by mainstream browsers including FireFox and Chrome. Although it is currently in the public beta stage, there are also many users working on their own website projects. officially used in China.

Applicable to Ubuntu/DEBIAN, this article was successfully installed under Ubuntu 14.04. Example: The domain name is zhujiwiki.com and the IP address is 111.111.111.111

Under SSH: 1. Install git and bc sudo apt-get install git bc

2. Copy the source code cd /tmp/ git clone https://github.com/Neilpang/le.git

3. Install le.sh cd le sudo ./le.sh install

Then source ~/.bashrc

4. Test whether the installation is successful sudo -s le

When using le, you must use the command sudo -s

5. Create the /.well-known/acme-challenge/ directory mkdir -p /var/www/html/.well-known/acme-challenge/ chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/ chmod -R 0444 /var/www/html/.well-known/acme-challenge/

6. Create a directory to store SS certificates mkdir -p /etc/nginx/ssl/zhujiwiki.com/

Then openssl dhparam -out dhparams.pem 4096

7. Issue SSL certificates for zhujiwiki.com and www.zhujiwiki.com le issue /var/www/html zhujiwiki.com www.zhujiwiki.com

The default is 2048 bit, you can also issue 4096, with the following command: le issue /var/www/html zhujiwiki.com www.zhujiwiki.com 4096

Issue the command as follows: le issue /DocumentRootPath/ example.com le issue /DocumentRootPath/ example.com www.foo.com,bar.com le issue /DocumentRootPath/ example.com 2048

8. Configure TLS/SSL on Nginx vi /etc/nginx/sites-available/default Press i to enter editing mode and paste the following content:

## START: SSL/HTTPS zhujiwiki.com ### server { #------- Start SSL config ----## listen 111.111.111.111:443; server_name zhujiwiki.com; ssl on; ssl_certificate /etc/nginx/ssl/theos.in/zhujiwiki.com.cer; ssl_certificate_key /etc/nginx/ssl/theos.in/zhujiwiki.com.key; ssl_session_timeout 30m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 :!DSS; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/zhujiwiki.com/dhparams.pem; ssl_prefer_server_ciphers on; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_staple on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic add_header Strict-Transport-Security max-age=31536000; ## SSL logs ## access_log /var/log/nginx/zhujiwiki.com/ssl_access.log; error_log /var/log/nginx/zhujiwiki.com/ssl_error.log; #-------- END SSL config -------## # Add rest of your config below like document path and more ## } ## END SSL zhujiwiki.com ######

Press the Esc key to exit editing mode, then hold down shift and press z twice at the same time to return to the shell interface.

9. Install the issued certificate on Nginx le installcert theos.in /etc/nginx/ssl/theos.in/theos.in.cer /etc/nginx/ssl/theos.in/theos.in.key /etc/nginx/ssl/theos.in/ca. cer 'service nginx reload'

To avoid linking issues, enter the following command: cd /etc/nginx/ssl/theos.in/ cat theos.in.cer ca.cer > foo mv foo theos.in.cer service nginx reload

10. Use port 443 ufw allow proto tcp from any to 111.111.111.111 port 443

Test on the browser: https://zhujiwiki.com/, or use SSL labs to test

11. The le free certificate is valid for 90 days. All certificates need to be updated. The command is as follows: le renew zhujiwiki.com

Add automatic renewal, so you don’t have to worry about certificate expiration. crontab -e

Press i to enter edit mode 0 0 * * * LE_WORKING_DIR=”/root/.le” “/root/.le”/le.sh cron > /dev/null Press the Esc key to exit editing mode, then hold down shift and press z twice to return to the shell interface.

Recommended site search: Hong Kong virtual host, domain name fast registration, dynamic dial-up vps host, free ip proxy, US server defense, Hong Kong host cloud server rental, space rental free mainland China space, Hong Kong server,