How to Save Hundreds of Dollars a Year on Your SSL

Facebooktwitter

It has been around for a while now but I finally got around to installing my first 100% free SSL certificate for one of our projects (http://www.flechamoney.com – for now I only put the app and the API behind ssl not yet front page as nothing is there yet πŸ™‚ ).

Normally SSL certificates can run anywhere from a few hundred to over a thousand dollar a year for 1 website….

So being able to install one for free is very nice :)! The good thing is that these SSL certificates are supported by pretty much all major devices so compatibility isn’t a issue.

Ok so I created a SOP document for our other servers (for Debian 8 with Nginx) here it is for you to copy / follow for yourself:

Debian Knowledge needed:
70%
Last modified: 4 June 2016 – Steven van der Peijl

This SOP is to install LetsEncrypt SSL certificates on our standard VPS webservers:
Debian 8 with Nginx

Resource URLS:
https://certbot.eff.org/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Always first run:
apt-get update
apt-get upgrade

Running Debian 7? Then I recommended to upgrade to Debian 8 πŸ™‚ .

  1. Install CertBot from LetsEncrypt
    For debian 7:
    $: cd path/to/certbotinstall
    $: wget https://dl.eff.org/certbot-auto
    $: chmod a+x certbot-auto
    $: ./certbot-auto


    For debian 8:
    Open "/etc/apt/sources.list.d/"
    add "deb http://ftp.debian.org/debian jessie-backports main" (no quotes)
    Save file
    $: apt-get update
    $: apt-get install certbot -t jessie-backports
  2. Make "/.well-known/acme-challenge" Available
    via public URL e.g. site.com/.well-known/acme-challenge

    Add this block to appropriate nginx server{} block:
    location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    }


    Test by creating a file ping.text in the /.well-known/acme-challenge folder and access it via url like:
    http://www.site.com/.well-known/acme-challenge/ping.txt
  3. Create Cert(s)
    Debian 7:
    $: cd path/to/cerbotinstall
    $: certbot-auto --webroot -w /var/www/publicdir –d flechamoney.com -w /var/www/publicdir/bus -d sub.flechamoney.com


    Debian 8:
    $: certbot certonly --webroot -w /var/www/www.flechamoney.com/app/advanced/frontend/web -d app.flechamoney.com -w /var/www/www.flechamoney.com/app/advanced/api/web -d api.flechamoney.com

    *LetsEncrypt does not work with wildcard SSL like *.domain.com. You could make it work with scripts to create certs on the fly but that’s not recommended (also due limitations in number of certs you can generate)

    **Note that in the example the cert is good for 2 subdomains, it only creates 1 certificate. You can add more or less or even create separate ones if really needed.
  4. Check
    Check if certificates are generated (.pem in /etc/letsencrypt/live)
  5. Create strong DH group:
    $: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    If not already exists (so check path if file is already there)
  6. Create nginx conf snippets:
    Create file: /etc/nginx/snippets/ssl-example.com.conf (where example.com is url)

    With:
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;<


    and: /etc/nginx/snippets/ssl-params.conf with:
    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
  7. Now change Nginx server blocks for the site
    The redirect:

    server {
    listen serverIP:80;
    #listen [fe80::d800:9ff:fe40:7eb4]:80 ipv6only=on;
    server_name example.com;
    return 301 https://$server_name$request_uri;
    }


    And the ssl block:

    server {
    #listen serverIP:80;
    listen serverIP:443 ssl http2;
    #listen [fe80::d800:9ff:fe40:7eb4]:443 ssl http2 ipv6only=on;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

    server_name example.com;
    root /var/www/www.example.com/web;
    Etc..
    }


    Important note: you need at least Nginx 1.95 installed for this. So upgrade it if it is older. If you can't upgrade remove the http2 part.

    Note 2: upgrading Nginx to 1.95 might give some trouble with GeoIP module you will need to:
    - uncomment all references to GeoIP from nginx.conf
    - then fix by re-running apt-get or using "apt-get –f install"
    - add the line "load_module modules/ngx_http_geoip_module.so;" to nginx.conf (on top outside any blocks)
    - restart nginx
    - re-enable GeoIP references in config files and fastcgi_params
    - restart nginx
  8. Enable cert auto-renew
    $: crontab –e
    30 2 * * 1 certbot renew –quiet
    35 2 * * 1 /etc/init.d/nginx restart


    This will check for renewal every Monday at 2:30am and will renew when its 60+ days or older. Then 5 minutes later it will restart Nginx to reload the cert files.
  9. Test
    https://www.ssllabs.com/ssltest/analyze.html?d=example.com

    Do run an upgrade to test:
    $: certbot renew

    It should say success and that none of your certs need updating.
Facebooktwittergoogle_plusredditpinterestmail