Skip to:

Let's Encrypt!

I've finally completed my goal of securing https://marcinkowski.ca and https://analytics.marcinkowski.ca using Let's Encrypt. The process is easier than setting up the pretty URL rules for Drupal in nginx.

I followed Digital Ocean's setup instructions found here:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-wit...

Setting up certificate renewals

See my next article about setting up automatic certificate renewals:

Let's Encrypt Renewal

TLDR:

Prerequisites:
* Your user needs to have write access to your webroot
* I have installed certbot-auto in to /opt/certbot

  1. Get certbot from the EFF (https://certbot.eff.org/)
  2. Configure nginx to allow access to http(s)://domain.com/.well-known/*:

    /etc/nginx/letsencrypt-authorization.conf:
        location ~ /.well-known {
            allow all;
        }
    
    /etc/nginx/enabled/domain.ca:
        include letsencrypt-authorization.conf
    
  3. Create a cert using certbot-auto script:


    /opt/certbot/certbot-auto certonly -a webroot --webroot-path=PATH/TO/WEBROOT -d domain.ca
  4. Add my new letsencrypt certificate and private key to the config file for this domain:


    ssl_certificate /etc/letsencrypt/live/domain.ca/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.ca/privkey.pem;
  5. Followed the rest of the Digital Ocean article:
    a. Generate a Strong Diffie-Hellman Group:


    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    b. Add additional SSL params to use modern practises, including HSTS (Thanks Digital Ocean)


    /etc/nginx/ssl-params.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000;

    c. Redirect HTTP to HTTPS