Install Certbot Client Utility
apt-get install certbot
Get Let’s Encrypt Certificate
In order to obtain certificates for your domain, execute the cerbot command in console with the following parameters and flags as explained below. Run the command with root privileges and supply your domain name and all other subdomains you want to obtain certificates for by using the –d flag. Also, supply the –standalone option in order for certbot to not interfere with Nginx configuration files. The Nginx server must be stopped while issuing certificates using this option.
he cerbot command syntax:
sudo certbot certonly --standalone –d yourdomain.com –d www.yourdomain.com
````
### Configure Nginx for TLS/SSL
An Nginx full default TLS configuration file for a domain should look like in the below file excerpt.
/etc/nginx/sites-enabled/default-ssl file sample:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name www.yourdomain.com yourdomain.com;
#server_name _;
root /var/www/html;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
#SSL Certificates
ssl_certificate "/etc/letsencrypt/live/www.yourdomain.com/cert.pem";
ssl_certificate_key "/etc/letsencrypt/live/www. yourdomain.com/privkey.pem";
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;
#includeSubDomains" always;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args $uri/ =404;
}
set $cache_uri $request_uri;
location ~ /.well-known {
allow all;
}
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
### How to install Let’s Encrypt Certificates in Nginx
Let’s Encrypt certificates and keys are stored in /etc/letsencrypt/live/www.yourdomain.com/ directory in Debian. The ls command against the above directory will reveal all certificate components, such as the chain file, the fullchain file, the private key and the certificate file.
ls /etc/letsencrypt/live/www.yourdomain.com/
To install the Let’s Encrypt certificate in Nginx web server TLS configuration file, open Nginx default-ssl file and update the below lines to reflect Let’s Encrypt certificate file paths for your domain, as shown in the below excerpt.
nano /etc/nginx/sites-enabled/default-ssl
Change the following lines as below:
ssl_certificate "/etc/letsencrypt/live/www.yourdomain.com/cert.pem ";
ssl_certificate_key "/etc/letsencrypt/live/www.yourdomain.com /privkey.pem";
Also, if the ssl_dhparam statement is present in Nginx SSL configuration, you must generate a new 2048 bit Diffie–Hellman key by issuing the following command. The Diffie–Hellman key parameters generation should take a while depending on your system randomness or entropy.
openssl dhparam –out /etc/nginx/dhparam.pem 2048
Finally, before activating Nginx TLS configuration by restarting the Nginx daemon to reflect changes, first check Nginx configurations for potential syntax errors. Afterwards, if Nginx configuration file test is successful, restart Nginx daemon to load the new configuration alongside Let’s Encrypt certificates, by issuing the below commands.
nginx -t service nginx restart
### Force web traffic to HTTPS
To force your domain visitors to browse your website only via HTTPS protocol, open Nginx sites-enabled default configuration file and add the following line, which forces all requests that hit port 80 to be redirected with a 301 status code (permanently moved) to port 443.
nano /etc/nginx/sites-enabled/default
Redirect statement should look like presented in the below excerpt.
server_name www.yourdomain.com yourdomain.com; return 301 https://$server_name$request_uri; ```