Did you know you could get free SSL certificates ? Heyy... Now you can...!!!!!
Let's Encrypt is the new SSL Certificate Authority. It's automated, open and provides free SSL/TLS Certificates.
I have set up Let's Encrypt SSL/TLS certificate with Nginx on Ubuntu 14.04. So let's see how to set up Let's Encrypt SSL/TLS certificate and to enable automated renewal of the same.
For Let's Encrypt to work successfully we require an Ubuntu 14.04 Server with sudo or root user. If you are a root user, extreme caution is required during installation.
I think you might have already come across an incident where a guy deleted an entire company using
rm -rf command while in root permission !!!
The next prerequisite is to have a registered domain name for your Django site. If you do not already have one, you can easily get a registered domain name from domain providers like GoDaddy, Namecheap, BlueHost, etc.
Now, Let's get started.
Step 1 - Install Let's Encrypt in Server.
First login into server and install Git then clone Let's Encrypt repository.
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
The above command will clone letsencrypt repository to /opt directory.
Important checks before you continue
CHECK 1 - Stop all services running on port 80 (in my case it is Nginx)
$ sudo service nginx stop
CHECK 1 - Make sure your domains are resolved.
Step 2 - Generate Certificates
Use a stand-alone method for generating certificates.
$ ./letsencrypt-auto certonly --standalone --rsa-key-size 4096
A window pops up in the terminal, where you will have to fill in your domain name.
Next step is to agree with the terms of services of Let's Encrypt. Once you agree with it you can see the path of the .pem file. It will be located in /etc/letsencrypt/live/your-domain-name/. If you encounter any error while creating the certificate please give a check on the firewall configuration too.
The certificate expires in 90 days, so it will have to be renewed every 90 days. For renewing the certificate you just need to run the renew script. Writing a cron job for the same will help us to automate the process.
Now we can get Nginx up and running with the following command
$ sudo service nginx start
Step 3 - Generate strong Diffie-Hellman Group
It's time we step up the certificate security a bit. The ideal option would be to increase it by using Diffie-Hellman group. Use the following command for generating a 4096-bit group.
$ sudo openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096 &
It will take a while to generate
.pem file. After its generated you can check
/etc/ssl/private/ folder for your
Now we have to update Nginx with dhparam configuration .
(I hope you already know how to configure Nginx for Django. If you don't, then please do check this link: Nginx setup )
A few changes have been made to the Nginx configuration, as shown below.
$ cd /etc/nginx/sites-available $ vim rawdata (This is my configuration file name ! )
After updating Nginx configuration, get to restart Nginx. If the configuration edit went well, it will return an OK message.
Hurraaayyyyy...!!!!!! We are done with all the settings. Hit the url that you configured. Check this url "http://rawdatatech.com/" and it will be redirected to "https://rawdatatech.com/" . If you are using firefox then click on the lock symbol to know about the secure connection.
Now we can get to verify our SSL certificate using SSL labs. Please go through the link given below.
I had used a 2048 bit Diffi-Hellman group for my site. But i would highly recommend using a 4096 bit Security group, which will give you an A+ report.
Step 4 - Setup auto Renewal
We had already discussed about Let's Encrypt certificates expiration time span, which is 90 days. It will be ideal to renew the certificates every 60 days so as to avoid any troubles. To enable automated renewal we are going to make use of cron jobs.
$ ./opt/letsencrypt/letsencrypt-auto renew
Above given is the command to renew the certificates. Now we can write a cron job that will run this command automatically every 60 days. We can edit the cron tab to write a new cron job.
$sudo crontab -e
You will be asked to chose an editor. Choose an appropriate editor from that list and edit the cron tab as follows.
30 2 * * 1 ./opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renewal.log 35 2 * * 1 /etc/init.d/nginx reload
The command means that command "/opt/letsencrypt/letsencrypt-auto renew" will run every monday at 2:30 AM. The next command will reload the nginx, 5 minutes after the first command.
If you want to set up advanced cronjob configurations, you can check out this link.
For more information on cron tab configuration make use of the link below.
Step 5 - Update Let's Encrypt
You need to update let's Encrypt client whenever an update is available. For that you have to make a git pull from the let's Encrypt directory. It will download and update your let's Encrypt client.
cd /opt/letsencrypt git pull
PS: If you are happy with the results please don't forget to donate to Let's Encrypt Foundation. Spread Open Source. !!!!