Some of the readers of this website asked for a guide on Let’s Encrypt on Ubuntu 16.04. Here Are Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx With HSTS, ALPN on HTTP/2, OCSP Stapling, Public Key Pinning (HPKP), Cipher. Needless to say – Let’s Encrypt is free SSL certificate. You need not to read guides on the same various web hosts. They have wrongs and some stuffs are copy-pasted from professional blogs. You will get A+ on SSL Labs with 100 on certificate, 90 on protocol support, 85 on key exchange and 85 on cipher strength.
This article has been old!
We strongly recommend to only read this guide as there are many important hyperlinks on topics which you may need to know. After reading this guide, follow our latest guide on how to install certbot on Ubuntu 16.04.
We are showing old method because Ubuntu Xenial has an old version of Certbot packaged for it that lacks a few features. Official documentation is here :
1 | https://certbot.eff.org/#ubuntuxenial-nginx |
Otherwise we can make it more easy with one command.
---
Prerequisite Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx and Follow This Guide
You need Ubuntu 16.04 LTS and Nginx-Extras from Ubuntu’s Repo. ALPN support on HTTP/2 needs newest version of OpenSSL. If you have a blank Ubuntu 16.04 LTS server, simply run :
1 2 3 | apt update apt upgrade apt install nginx-extras |
Make sure that you have pointed the domain name via DNS and you can see your website’s default webpage on browser. If you do not have domain, you can read this list of free domain names. Use Hurricane Electric DNS to point. You need one email. Now open the default file :
1 | nano /etc/nginx/sites-available/default |
Add this :
1 2 3 | location ~ /.well-known { allow all; } |
Run :
1 | nginx -t |
if successful then :
1 | service nginx restart |
Easy Steps To Setup Let’s Encrypt on Ubuntu 16.04, Nginx
We will keep all file names as default path and file names. We are using our domain abhishekghosh.pro in this example. You must change abhishekghosh.pro to your domain name while running the commands. Default root of Nginx is /var/www/html for this Ubuntu 16.04. Change the root path if needed.
Let us run the commands :
1 2 | apt update apt install git |
As we informed before, we will use the new from repo as Ubuntu repo has old stuff. So we are cloning from https://github.com/letsencrypt/letsencrypt to the directory /opt/letsencrypt. Technically we should clone from https://github.com/certbot/certbot to the directory /opt/certbot. That is not done as you may install Ubuntu package later and name will get confusing plus we will release updated new guide to cover all (you are kept older sounding, but on new!). We will copy all files to /opt/letsencrypt. You should not delete this directory later. Now we will clone the Let’s Encrypt repo :
1 2 | git clone https://github.com/letsencrypt/letsencrypt cd /opt/letsencrypt |
Keep it in mind – you will run this command on this directory every 15 days or so to get the latest update :
1 2 | cd /opt/letsencrypt sudo git pull |
Now we are running command for :
1 | ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro |
I ran only for the domain abhishekghosh.pro. If I need to add www.abhishekghosh.pro then I can combine that in this way :
1 | ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro -d www.abhishekghosh.pro -d www.abhishekghosh.pro |
Obviously I can run only for www later :
1 | ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d abhishekghosh.pro -d www.abhishekghosh.pro |
Run the first command (or the third one if www one is your main domain) as with one domain it is easy to troubleshoot. You need real root for all the subdomains. Virtual hosts or cname should be set rightly.
Remember – letsencrypt is old name, it is certbot since May 2016.
After running the command, a wizard will start to prompt, you’ll need to enter an email address that will be used for notices and lost key recovery, you must agree to the Let’s Encrypt Subscribe Agreement. Simple. After these steps you’ll get this output :
1 2 3 4 5 6 7 8 | IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem. Your cert will expire on 2016-12-05. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" ... |
At the location /etc/letsencrypt/live/abhishekghosh.pro, we have everything. Let us go there :
1 2 | cd /etc/letsencrypt/live/abhishekghosh.pro ls -al |
/etc/letsencrypt/live/abhishekghosh.pro is symlinked to /etc/letsencrypt/archive. We will generate Diffie-Hellman key (the command will take time to end) :
1 | sudo openssl dhparam -out dhparam.pem 2048 |
We will wget this certificate for OSCP stapling :
1 | wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem |
check the files :
1 | ls -al |
Now, first create a backup.
1 2 | cd /etc/letsencrypt/live/abhishekghosh.pro tar -cvzf abhishekghosh-pro-certs-Sept-2016.tar.gz * |
Change the name abhishekghosh-pro-certs-Sept-2016 to your name and date. again do ls -al, you’ll see the tar ball. First download it via FTP on your computer. We used do it religiously for paid SSL certificates. In some wrong, if all get deleted, site will remain down.
This is the right configuration :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | ssl on; access_log off; ssl_certificate /etc/letsencrypt/live/abhishekghosh.pro/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/abhishekghosh.pro/privkey.pem; ssl_dhparam /etc/letsencrypt/live/abhishekghosh.pro/dhparam.pem; ssl_stapling on; ssl_stapling_verify off; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; ssl_trusted_certificate /etc/letsencrypt/live/abhishekghosh.pro/lets-encrypt-x3-cross-signed.pem; ssl_ecdh_curve prime256v1; ssl_session_cache shared:NginxCache123:20m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; #add_header Public-Key-Pins 'pin-sha256=" "; pin-sha256=" "; report-uri=" "; max-age=5184000; includeSubDomains'; #add_header 'Content-Security-Policy-Report-Only' 'default-src self https:; report-uri '; |
ssl_stapling_verify off is for protecting from error. add_header Public-Key-Pins is commented out because you should read Public-Key-Pins and Public-Key-Pins Reporting guide for their setup. You will do it later. Content-Security-Policy-Report-Only is commented out because you need to read Content-Security-Policy and Content-Security-Policy-Report-Only matters. You can do these two points later.
Your normal virtual hosts file is /etc/nginx/sites-available/default. You have stuffs like :
1 2 3 4 5 6 | server { listen 80 default_server; listen [::]:80 default_server; server_name abhishekghosh.pro; ... } |
You will make the copy of the whole stanza and paste at the bottom. You’ll edit to make the second pasted entry’s port as :
1 2 3 4 5 6 | server { listen 443 default_server; listen [::]:443 default_server; server_name abhishekghosh.pro; ... } |
Then add the directives (check Nginx official documentation for where to paste it). You need to add a 301 redirection :
1 2 3 4 5 6 | server { listen 80 default_server; listen [::]:80 default_server; return 301 https://abhishekghosh.pro$request_uri; ... } |
Run :
1 | nginx -t |
if successful then :
1 | service nginx restart |
If everything is fine then go to SSL Labs and test your result. After doing the above two, you’ll get correct, optimized settings.
By the way, you need to work to get listed on HTTPS Everywhere. Otherwise HSTS actually not work.
You can see our site on SSL Labs :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=abhishekghosh.pro |
Problems With Let’s Encrypt Renewal on Ubuntu 16.04, Nginx
If you visit the official git :
1 | https://github.com/certbot/certbot |
They clearly written that letsencrypt is old name, it is certbot since May 2016. There are guides which are not updated. You can test renew with dry run :
1 | /opt/letsencrypt/letsencrypt-auto renew --dry-run |
You can try renew :
1 | /opt/letsencrypt/letsencrypt-auto renew |
In case you face trouble, visit :
1 | https://community.letsencrypt.org |
