How to Secure Nginx with Let's Encrypt on Debian 10

How to Secure Nginx with Let’s Encrypt on Debian 10

“How to Secure Nginx with Let’s Encrypt on Debian 10”

We hope this post helped you to find out  How to Secure Nginx with Let’s Encrypt on Debian 10

Let’s Encrypt is a free, automated, and open certificates authority developed by the Web Safety Analysis Group (ISRG) that gives free SSL certificates.

Certificates issued by Let’s Encrypt are trusted by all main browsers and legitimate for 90 days from the problem date.

This tutorial exhibits set up a free Let’s Encrypt SSL certificates on Debian 10, Buster working Nginx as an online server. We’ll additionally present configure Nginx to make use of the SSL certificates and allow HTTP/2.

Conditions #

Guarantee the next stipulations are met earlier than continuing with the information:

  • Logged in as root or person with sudo privileges.
  • The area for which you wish to get hold of the SSL certificates should level to your public server IP. We’ll use instance.com.
  • Nginx put in.

Installing in Certbot #

We’ll use the certbot software to acquire and renew the certificates.

Certbot is a fully-featured and straightforward to make use of software that automates the duties for acquiring and renewing Let’s Encrypt SSL certificates and configuring internet servers to make use of the certificates.

The certbot bundle is included within the default Debian repositories. Run the next instructions to put in certbot:

sudo apt update
sudo apt install certbot

Generating Dh (Diffie-Hellman) Group #

Diffie–Hellman key change (DH) is a technique of securely exchanging cryptographic keys over an unsecured communication channel.

We’re going to generate a brand new set of 2048 bit DH parameters to strengthen the safety:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You can too change the scale as much as 4096 bits, however the technology might take greater than 30 minutes relying on the system entropy.

Acquiring a Let’s Encrypt SSL certificates #

To acquire an SSL certificates for the area, we’re going to make use of the Webroot plugin. It really works by creating a short lived file for validating the requested area within the ${webroot-path}/.well-known/acme-challenge listing. The Let’s Encrypt server makes HTTP requests to the short-term file to validate that the requested area resolves to the server the place certbot runs.

We’re going to map all HTTP requests for .well-known/acme-challenge to a single listing, /var/lib/letsencrypt.

Run the next instructions to create the listing and make it writable for the Nginx server:

sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp www-data /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code, we’ll create two snippets that will be included in all Nginx server block files.

Open your text editor and create the first snippet, letsencrypt.conf:

sudo nano /etc/nginx/snippets/letsencrypt.conf
/etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

The second snippet ssl.conf includes the chippers recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS), and enforces few security‑focused HTTP headers.

sudo nano /etc/nginx/snippets/ssl.conf
/etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Once done, open the domain server block file and include the letsencrypt.conf snippet as shown below:

sudo nano /etc/nginx/sites-available/example.com.conf

/etc/nginx/sites-available/example.com.conf

server {
  listen 80;
  server_name example.com www.example.com;

  include snippets/letsencrypt.conf;
}

Create a symbolic link to the sites-enabled directory to enable the domain server block:

sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

Restart the Nginx service for the changes to take effect:

sudo systemctl restart nginx

You’re now ready to obtain the SSL certificate files by running the following command:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate is successfully obtained, the following message will be printed on your terminal:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-02-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Edit the domain server block and include the SSL certificate files as follows:

sudo nano /etc/nginx/sites-available/example.com.conf
/etc/nginx/sites-available/example.com.conf
server {
    listen 80;
    server_name www.example.com example.com;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}

The configuration above tells Nginx to redirect from HTTP to HTTPS and from www to non-www version.

Restart or reload the Nginx service for the changes to take effect:

sudo systemctl restart nginx

Open your web site utilizing https://, and also you’ll discover a inexperienced lock icon.

In the event you check your area utilizing the SSL Labs Server Test, you’ll get an A+ grade, as proven within the picture under:

How to Secure Nginx with Let's Encrypt on Debian 10

Auto-renewing Let’s Encrypt SSL certificates #

Let’s Encrypt’s certificates are legitimate for 90 days. To robotically renew the certificates earlier than they expire, the certbot bundle creates a cronjob that runs twice a day and robotically renews any certificates 30 days earlier than its expiration.

On renewal the nginx service should be reloaded for the server to load the certificates. Append --renew-hook "systemctl reload nginx" to the /etc/cron.d/certbot file in order it appears like this:

sudo nano /etc/cron.d/certbot
/etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

Test the automatic renewal process, by running this command:

sudo certbot renew --dry-run

If there aren’t any errors, it implies that the renewal course of was profitable.

Conclusion #

Having an SSL certificates is a should these days. It secures your web site, will increase SERP rating place, and permits you to allow HTTP/2 in your internet server.

On this tutorial, we now have proven you generate and renew SSL certificates utilizing the certbot script. We’ve additionally proven you configure Nginx to make use of the certificates.

To study extra about Certbot, go to the Certbot documentation.

We hope the How to Secure Nginx with Let’s Encrypt on Debian 10 help you. If you have any query regarding How to Secure Nginx with Let’s Encrypt on Debian 10 drop a comment below and we will get back to you at the earliest.

We hope this post helped you to find out  How to Secure Nginx with Let’s Encrypt on Debian 10 . You may also want to see – How to Set Up a Firewall with UFW on Ubuntu 20.04

Share via
Copy link
Powered by Social Snap