Nginx and Let's Encrypt Next-Gen-Setup

Im Durchschnitt wird dieses Tutorial Nginx and Let's Encrypt Next-Gen-Setup mit 5 bewertet, wobei 1.0 die schlechteste und 5.0 die beste Bewertung ist. Es haben insgesamt 1384 Besucher eine Bewertung abgegeben.

Nginx and Let's Encrypt Next-Gen-Setup

Nginx Security Webserver

Mehr Code gibt´s
hier!

Cloud - einfach besser machen?

Make Nginx even easier with Let’s Encrypt

You may have read my article about securing Nginx with Let’s Encrypt and found the link to this article at the end of this article.

In this short article, I would like to show you an alternative how to make Nginx even easier with Let’s Encrypt – and with my small shell script to fully automate the renewal of your SSL certificates.

At this point, I’d also like to thank Mitchell Anicas, whose script served me as a template.

Preparations

The best thing is to click on a new Cloud Server and install a few packages on it. I use mostly Debian and then install with ‘apt-get install’ the necessary packages.

Since in my already mentioned article the configuration and installation is described in detail, I will skipp the description and will post only the necessary commands here for you. So, let’s go:

apt-get install bc git vim psmisc nginx openssl

The best thing is to create a new DNS IN A record for the domain you’d like to use. Depending on the provider, updating the DNS settings may take a few minutes.

Now go to the directory ‘/etc/nginx/sites-enabled/’ and open the default configuration file there. Change the entries as follows. Please note that I have not activated the SSL configuration yet, and I have made a comment with the character ‘#’.

Replace in the configuration “YourDomain.TLD” by the domain for which you have already created the DNS entry:

server {
    listen 80;
    listen [::]:80;
    
    server_name YourDomain.TLD;
    
    #listen 443 ssl;
    #listen [::]:443 ssl;
    #ssl_certificate /etc/letsencrypt/live/YourDomain.TLD/fullchain.pem;
    #ssl_certificate_key /etc/letsencrypt/live/YourDomain.TLD/privkey.pem;
    
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_prefer_server_ciphers on;
    #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    
    location ^~ /.well-known/acme-challenge/ {
    proxy_pass http://localhost:60000;
    }
    
    root /var/www/;
    index index.php index.html index.htm;

}

You will notice the new entry “location ^~/.well-known/acme-challenge/”. This entry will later ensure that the Let’s Encrypt Server requests are redirected to a different location so that the domain can be verified.

Restart your Nginx web server after modifying the configuration.

Let’s Encrypt configuration and first SSL certificate

Now clone the repository from Let’s Encrypt to /opt

$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Cloning into '/opt/letsencrypt'...
remote: Counting objects: 28778, done.
remote: Compressing objects: 100% (66/66), done.
remote: Total 28778 (delta 34), reused 0 (delta 0), pack-reused 28712
Receiving objects: 100% (28778/28778), 7.56 MiB | 4.67 MiB/s, done.
Resolving deltas: 100% (20238/20238), done.
Checking connectivity... done.

Create the directories ‘/etc/letsencrypt/’

mkdir -p /etc/letsencrypt

Now create a file with the name ‘cli.ini’ in the directory you just created. The following content is sufficient for the start. Please replace your email address at the place, otherwise you have no chance to recover the key of your SSL certificate.

rsa-key-size = 4096
email = email@domain.TLD
authenticator = standalone
standalone-supported-challenges = http-01

Now go to the directory ‘/opt/letsencrypt/’ and call the Let’s Encrypt Suite. Exchange ‘YourDomain.tld’ again.

./letsencrypt-auto certonly --domains DeineDomain.TLD --renew-by-default --agree-tos --http-01-port 60000

Voilà! You should have created an SSL certificate now. You can find the certificate in the directory
‘/etc/letsencrypt/live/YourDomain.TLD/’.

Now open the Nginx configuration again and remove the comment signs ‘#’ before the SSL part of the configuration.

listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/DeineDomain.TLD/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DeineDomain.TLD/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Now restart the Nginx and test if it is reachable on port 443. The connection is now encrypted with your new Let’s Encrypt certificate.

What happened?

You have requested a new certificate for your domain at Let’s Encrypt. To validate that you can get a certificate for the requested domain, a request from Let’s Encrypt was sent to your web server (port 80).

The request went to ‘http://YourDomain.TLD/.well-known/acme-challenge/$TOKEN’. Nginx recognized this request and redirected it to your backend to http://localhost:60000. You have this with the Nginx configuration line: ‘proxy_pass http://localhost:60000;’ causes.

On the port 60000 under localhost you again made sure that the Let’s Encrypt Suite started a service (parameter –http-01-port 60000).

Automate Let’s Encrypt

So that you no longer have to worry about extending the certificates, I have built a small proof of concept. You can find the script on our website BitBucket Account. Just download it and save it on your server.

wget https://bitbucket.org/gridscale/letsencrypt/raw/HEAD/le-autorenew.sh -O /usr/local/sbin/le-autorenew.sh

Open the file with an editor and first change the parameter in line 8 ‘exp_limit’ to z.b. 30. Miss the script then the rights to run:

chmod 750 /usr/local/sbin/le-autorenew.sh

Now test the script by tapping into the console ‘le-autorenew.sh’. If everything goes well, you will receive a notification that there is currently nothing to do and an extension will be available again in X days.

Then you have a Cronjob, so once a day is checked, if there is something to be done. Start the croneditor with ‘crontab -e’.

15 2 * * * /usr/local/sbin/le-autorenew.sh >> /var/log/le-autorenew.log

Congratulations, you have successfully configured Nginx with Let’s Encrypt.

Zurück zur Tutorial Übersicht Back to Tutorial Overview

Mehr Code gibt´s
hier!

Cloud - einfach besser machen?

Make Nginx even easier with Let’s Encrypt You may have read my article about securing Nginx with Let’s Encrypt and found the link to this article at the end of this article. In this short article, I would like to show you an alternative how to make Nginx even easier with Let’s Encrypt – and with my small […]

Schade, dass dir der Artikel nicht gefallen hat.
Was sollten wir deiner Meinung nach besser machen?

Thank you for your feedback!
We will get back to you as soon as the article is finished.

Übrigens: kennst du schon unser Tutorial zum Thema Install WordPress on Ubuntu or Debian?