NGINX - SSL Certificates
A website without a certificate is unthinkable today. For this blog I think it is unnecessary to buy an expensive commercial certificate. So I choose Let’s Encrypt. At https://certbot.eff.org there is an excellent description of how you can configure this yourself on your own server.
Since Let’s Encrypt’s inception in 2016, several ways have been developed to use their free certificates. Certbot might be the most popular. There are several ways to install “certbot” (formerly “letsencrypt”). Ubuntu currently uses a so-called “snap” https://snapcraft.io/about to install “certbot”. There are many ways to Rome. This is just one of them.
$ sudo snap install core
$ sudo snap refresh core
Install “certbot”
$ sudo snap install --classic certbot
You want to symlink the certbot binary to /usr/bin. This way the command is available in your path.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Assuming you have installed NGINX beforehand you can obtain Let’s Encrypt certificate and configure NGINX in a single command:
$ sudo certbot --nginx
Since the certificate you just obtaind is valid for just 3 months you want to make sure the auto renew process is operational.
$ sudo certbot renew --dry-run
Your output should look similar to this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bitstrom.nl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Simulating renewal of an existing certificate for bitstrom.nl and www.bitstrom.nl
Performing the following challenges:
http-01 challenge for bitstrom.nl
http-01 challenge for www.bitstrom.nl
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/bitstrom.nl/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/bitstrom.nl/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certbot does a little more than just requesting a new certificate from Let’s Encrypt. It also adds some configuration lines to your NGINX configuration. Especially /etc/letsencrypt/options-ssl-nginx.conf is interesting.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_session_cache shared:le_nginx_SSL:10m; defines a session cache. It has an arbitrary name and a default size of 10m. It holds about 4000 sessions.
ssl_session_timeout 1440m; Defines a window during which a session can be reused.
ssl_session_tickets off; Enables or disables resumption of session through TLS session tickets.
ssl_protocols TLSv1.2 TLSv1.3; Enable those versions of the TLS protocols which are still trusted.
ssl_prefer_server_ciphers off; Allow the client to choose the ciphers.
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:<SNIP>:DHE-RSA-AES256-GCM-SHA384"; But we restrict the use to the ones still trusted.
Since /etc/letsencrypt/options-ssl-nginx.conf is generated by “certbot” I don’t want to touch it. But I do want to add a last directive:
add_header Strict-Transport-Security "max-age=63072000" always;
HTTP Strict Transport Security (HSTS) is a mechanism to force clients to use HTTPS. It can help protect the website against man-in-the-middle attacks.
Most of this configuration comes straight out of the box. This should equip you with a decent secure configuration of HTTPS. You can always test your work using https://www.ssllabs.com/ssltest/. You might want to use the option “Do not show the results on the boards” This way your site does not attract any unnecessary attention when you don’t get the configuration right the first time.