Installing client Let's Encrypt on the server

Connect to the server via SSH. And go, for example, in the home directory:

cd /home/

In it we will install the client Let’s Encrypt. For this we need git. If in you server already installed git, simply run the following commands:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

If you do not have git, then either install it with the following command:

apt-get install git

Or just unpack the .zip archive from the repository GitHub:

wget https://github.com/letsencrypt/letsencrypt/archive/master.zip
unzip master.zip
mv letsencrypt-master letsencrypt
cd letsencrypt

Check how to install:

./letsencrypt-auto --help

In response, you will see the following:

Let's Encrypt ready to use.

Create an SSL certificate for HTTPS to site

Go to the creation of the certificate Let's Encrypt. To do this you must first stop nginx:

service nginx stop

and run the command of creating the SSL certificate:

./letsencrypt-auto certonly --standalone -d devreadwrite.com -d www.devreadwrite.com

Upon successful creation of the certificate for the HTTPS protocol, you will see about the following

Do not forget to change the domain name devreadwrite.com on its.

In the process of creating a certificate, you will be prompted to enter e-mail, for important messages and to restore the key if necessary. Next, you will have to agree to the license agreement. An SSL certificates and the whole chain is stored to the following path: /etc/letsencrypt/live/devreadwrite.com/

Files of SSL certificate

In the folder /etc/letsencrypt/live/devreadwrite.com/ will be the following files:

privkey.pem - private key for certificate. In the Apache is used for directive SSLCertificateKeyFile. In Nginx is used for directive ssl_certificate_key.

cert.pem - server certificate. It requires Apache SSLCertificateFile directive.

chain.pem - a bunch of certificates, which are served by the browser, except cert.pem. Used in Apache SSLCertificateChainFile.

fullchain.pem - whole bunch of certificates (association chain.pem and cert.pem). Used in Nginx for ssl_certificate.

The certificate ready to use. Do not forget to run Nginx:

service nginx start

Now we can connect HTTPS protocol to the site.

Configuring HTTPS (SSL/TLS) in Nginx

Open the Nginx configuration file for your site (usually this: /etc/nginx/vhosts/userName/). And add the following lines:

server {
    #...
    ssl on;
    ssl_certificate /etc/letsencrypt/live/devreadwrite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/devreadwrite.com/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;
    listen server_ip:443 ssl;
    listen server_ip:80;
}

Next, you need to restart nginx:

nginx service reload

or

nginx service restart

Nginx, 301 redirect from protocol http to https

server {
#...
# force https-redirects if ($scheme = http) { return 301 https://$server_name$request_uri; } }

More 301 redirects in Nginx: Nginx, 301 redirect for all occasions.

Configuring HTTPS (SSL/TLS) in Apache

Open the Apache configuration file for your site (usually this: /etc/apache2/vhosts/userName/). And add the following lines:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/devreadwrite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/devreadwrite.com/privkey.pem

That will have something like:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin #... webmaster@localhost
        DocumentRoot #... /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/devreadwrite.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/devreadwrite.com/privkey.pem
        #...
    </VirtualHost>
</IfModule>

Restarting Apache:

service apache2 restart

301 redirect from protocol http to https in Apache

Add the following code to your .htaccess file:

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

More 301 redirects in Apache: 301 redirect for all occasions using .htaccess.

Additionally

In order to get the green lock in the address bar, which will indicate to the user that the site is working properly using HTTPS, you need change all the way files (images, css, js, ...) to change from http to https. It is also possible instead of http or https put two slashes (//). For example:

<link rel="stylesheet" type="text/css" href="http://devreadwrite.com/style.css" />

replaced by:

<link rel="stylesheet" type="text/css" href="//devreadwrite.com/style.css" />

In this case, the file will be obtained in the same protocol in which a site has requested. In this case the https protocol. Or, specify the protocol explicitly.

<link rel="stylesheet" type="text/css" href="https://devreadwrite.com/style.css" />

The same principle you can be done links on the site.

How to renew a certificate

The certificate is issued for 3 months, so a few days before the expiration date you need renew it.

To renew the certificate, you must run the command:

./letsencrypt-auto renew

This command you can add to crontab for automatic renew of SSL certificate.

Pros and cons of this method of creating a certificate

A very big advantage of this method - is the creation of a certificate without dancing with a tambourine. There are many other ways, but this is the only method that is earned at once.

Minus of this method of creating a certificate is that to create a certificate, you must stop Nginx. Therefore websites on nginx in during the creation of the certificate will not work. Is approximately 5-10 seconds (at least on my server).

Result

As a result, we get a working https protocol on your website.