Installing client Let's Encrypt on the server
Connect to the server via SSH. And go, for example, in the home directory:
cd /home/
In it we will install the client Let’s Encrypt. For this we need git. If in you server already installed git, simply run the following commands:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
If you do not have git, then either install it with the following command:
apt-get install git
Or just unpack the .zip archive from the repository GitHub:
wget https://github.com/letsencrypt/letsencrypt/archive/master.zip unzip master.zip mv letsencrypt-master letsencrypt cd letsencrypt
Check how to install:
./letsencrypt-auto --help
In response, you will see the following:
Let's Encrypt ready to use.
Create an SSL certificate for HTTPS to site
Go to the creation of the certificate Let's Encrypt. To do this you must first stop nginx:
service nginx stop
and run the command of creating the SSL certificate:
./letsencrypt-auto certonly --standalone -d devreadwrite.com -d www.devreadwrite.com
Upon successful creation of the certificate for the HTTPS protocol, you will see about the following
Do not forget to change the domain name devreadwrite.com on its.
In the process of creating a certificate, you will be prompted to enter e-mail, for important messages and to restore the key if necessary. Next, you will have to agree to the license agreement. An SSL certificates and the whole chain is stored to the following path: /etc/letsencrypt/live/devreadwrite.com/
Files of SSL certificate
In the folder /etc/letsencrypt/live/devreadwrite.com/ will be the following files:
privkey.pem - private key for certificate. In the Apache is used for directive SSLCertificateKeyFile. In Nginx is used for directive ssl_certificate_key.
cert.pem - server certificate. It requires Apache SSLCertificateFile directive.
chain.pem - a bunch of certificates, which are served by the browser, except cert.pem. Used in Apache SSLCertificateChainFile.
fullchain.pem - whole bunch of certificates (association chain.pem and cert.pem). Used in Nginx for ssl_certificate.
The certificate ready to use. Do not forget to run Nginx:
service nginx start
Now we can connect HTTPS protocol to the site.
Configuring HTTPS (SSL/TLS) in Nginx
Open the Nginx configuration file for your site (usually this: /etc/nginx/vhosts/userName/). And add the following lines:
server {
#...
ssl on;
ssl_certificate /etc/letsencrypt/live/devreadwrite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/devreadwrite.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
listen server_ip:443 ssl;
listen server_ip:80;
}
Next, you need to restart nginx:
nginx service reload
or
nginx service restart
Nginx, 301 redirect from protocol http to https
server {
#...
# force https-redirects
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
More 301 redirects in Nginx: Nginx, 301 redirect for all occasions.
Configuring HTTPS (SSL/TLS) in Apache
Open the Apache configuration file for your site (usually this: /etc/apache2/vhosts/userName/). And add the following lines:
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/devreadwrite.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/devreadwrite.com/privkey.pem
That will have something like:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin #... webmaster@localhost
DocumentRoot #... /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/devreadwrite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/devreadwrite.com/privkey.pem
#...
</VirtualHost>
</IfModule>
Restarting Apache:
service apache2 restart
301 redirect from protocol http to https in Apache
Add the following code to your .htaccess file:
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
More 301 redirects in Apache: 301 redirect for all occasions using .htaccess.
Additionally
In order to get the green lock in the address bar, which will indicate to the user that the site is working properly using HTTPS, you need change all the way files (images, css, js, ...) to change from http to https. It is also possible instead of http or https put two slashes (//). For example:
<link rel="stylesheet" type="text/css" href="http://devreadwrite.com/style.css" />
replaced by:
<link rel="stylesheet" type="text/css" href="//devreadwrite.com/style.css" />
In this case, the file will be obtained in the same protocol in which a site has requested. In this case the https protocol. Or, specify the protocol explicitly.
<link rel="stylesheet" type="text/css" href="https://devreadwrite.com/style.css" />
The same principle you can be done links on the site.
How to renew a certificate
The certificate is issued for 3 months, so a few days before the expiration date you need renew it.
To renew the certificate, you must run the command:
./letsencrypt-auto renew
This command you can add to crontab for automatic renew of SSL certificate.
Pros and cons of this method of creating a certificate
A very big advantage of this method - is the creation of a certificate without dancing with a tambourine. There are many other ways, but this is the only method that is earned at once.
Minus of this method of creating a certificate is that to create a certificate, you must stop Nginx. Therefore websites on nginx in during the creation of the certificate will not work. Is approximately 5-10 seconds (at least on my server).
Result
As a result, we get a working https protocol on your website.
