Community Post

Let's Encrypt SSL Certificates for Web Applications.

navajyoth

Did you know you could get free SSL certificates ? Heyy... Now you can...!!!!!

Let's Encrypt is the new SSL Certificate Authority. It's automated, open and provides free SSL/TLS Certificates.

I have set up Let's Encrypt SSL/TLS certificate with Nginx on Ubuntu 14.04. So let's see how to set up Let's Encrypt SSL/TLS certificate and to enable automated renewal of the same.

Prerequisites

For Let's Encrypt to work successfully we require an Ubuntu 14.04 Server with sudo or root user. If you are a root user, extreme caution is required during installation.

I think you might have already come across an incident where a guy deleted an entire company using rm -rf command while in root permission !!!

sehensar

The next prerequisite is to have a registered domain name for your Django site. If you do not already have one, you can easily get a registered domain name from domain providers like GoDaddy, Namecheap, BlueHost, etc.

Now, Let's get started.

Step 1 - Install Let's Encrypt in Server.

First login into server and install Git then clone Let's Encrypt repository.

   $ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

The above command will clone letsencrypt repository to /opt directory.

Important checks before you continue

CHECK 1 - Stop all services running on port 80 (in my case it is Nginx)

   $ sudo service nginx stop

CHECK 1 - Make sure your domains are resolved.

Step 2 - Generate Certificates

Use a stand-alone method for generating certificates.

     $  ./letsencrypt-auto  certonly  --standalone  --rsa-key-size  4096

A window pops up in the terminal, where you will have to fill in your domain name.

domain

Next step is to agree with the terms of services of Let's Encrypt. Once you agree with it you can see the path of the .pem file. It will be located in /etc/letsencrypt/live/your-domain-name/. If you encounter any error while creating the certificate please give a check on the firewall configuration too.

The certificate expires in 90 days, so it will have to be renewed every 90 days. For renewing the certificate you just need to run the renew script. Writing a cron job for the same will help us to automate the process.

Now we can get Nginx up and running with the following command

     $ sudo service nginx  start

Step 3 - Generate strong Diffie-Hellman Group

It's time we step up the certificate security a bit. The ideal option would be to increase it by using Diffie-Hellman group. Use the following command for generating a 4096-bit group.

    $ sudo  openssl  dhparam -out /etc/ssl/private/dhparams_4096.pem  4096 &

It will take a while to generate .pem file. After its generated you can check /etc/ssl/private/ folder for your .pem file. Now we have to update Nginx with dhparam configuration .

(I hope you already know how to configure Nginx for Django. If you don't, then please do check this link: Nginx setup )

A few changes have been made to the Nginx configuration, as shown below.

     $ cd /etc/nginx/sites-available
     $ vim rawdata (This is my configuration file name ! )

Nginx

After updating Nginx configuration, get to restart Nginx. If the configuration edit went well, it will return an OK message.

Config

Hurraaayyyyy...!!!!!! We are done with all the settings. Hit the url that you configured. Check this url "http://rawdatatech.com/" and it will be redirected to "https://rawdatatech.com/" . If you are using firefox then click on the lock symbol to know about the secure connection.

Site

Now we can get to verify our SSL certificate using SSL labs. Please go through the link given below.

SSL Labs

result-1

result-2

I had used a 2048 bit Diffi-Hellman group for my site. But i would highly recommend using a 4096 bit Security group, which will give you an A+ report.

Step 4 - Setup auto Renewal

We had already discussed about Let's Encrypt certificates expiration time span, which is 90 days. It will be ideal to renew the certificates every 60 days so as to avoid any troubles. To enable automated renewal we are going to make use of cron jobs.

     $ ./opt/letsencrypt/letsencrypt-auto  renew

Above given is the command to renew the certificates. Now we can write a cron job that will run this command automatically every 60 days. We can edit the cron tab to write a new cron job.

      $sudo crontab -e

You will be asked to chose an editor. Choose an appropriate editor from that list and edit the cron tab as follows.

30 2 * * 1  ./opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renewal.log
35 2 * * 1 /etc/init.d/nginx reload

The command means that command "/opt/letsencrypt/letsencrypt-auto renew" will run every monday at 2:30 AM. The next command will reload the nginx, 5 minutes after the first command.

If you want to set up advanced cronjob configurations, you can check out this link.

http://crontab.guru/

For more information on cron tab configuration make use of the link below.

Cron basic installation and setup

Step 5 - Update Let's Encrypt

You need to update let's Encrypt client whenever an update is available. For that you have to make a git pull from the let's Encrypt directory. It will download and update your let's Encrypt client.

     cd /opt/letsencrypt
     git pull 

PS: If you are happy with the results please don't forget to donate to Let's Encrypt Foundation. Spread Open Source. !!!!

https://letsencrypt.org/