SSL for everyone

Spending huge bill per month on SSL, that’s insane, let me tell you how to do that for FREE. I was using Amazon Linux (CentOS)


Switch to root

sudo su

lets follow some best practice

mkdir certbot
cd certbot

Download certbot-auto

curl -O https://dl.eff.org/certbot-auto

Give some permission

chmod +x certbot-auto

Now will ask certbot to create an certificate for example.com //replace example.com with your domain name

./certbot-auto certonly --standalone -d example.com

Thats it, you can see bellow message.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2017-10-04. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Will not worry about renewals, Make cronjob runs daily to check is there any certificates to renew and renew it.

crontab -e

Press I key and paste below line.

/home/ec2-user/certbot/certbot-auto renew

Press escape key and type :wq and hit on enter button

Now you need to update nginx settings

vi etc/nginx/nginx.conf

Replace “example.com” in bellow snippet with your domain (without http(s)//:) and paste it to before last “}”

server {
        listen       443 ssl http2 default_server;
		listen       [::]:443 ssl http2 default_server;
        server_name  example.com;
        root         /usr/share/nginx/html;
        ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Restart nginx

 service nginx restart

Boom! your server is secured with SSL!

I Would Like to Thank  “Letsencrypt” for keep securing servers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top