Let's Encrypt

Project status: complete

Goal: make this site SSL ready using the Let's Encrypt free SSL service.

Let's Encrypt works a bit differently compared to the traditional certificate authorities (CA) as it issues short-lived certificates that are automatically renewed using an agent on the server. We will follow the official instructions for Ubuntu 16.04 and nginx on the Let's Encrypt web site.

First, let's install Certbot:

$ sudo apt-get install letsencrypt

Obtaining the Certificate

Run:

$ sudo letsencrypt certonly --webroot -w /var/www/html -d nuntz.com

After a few prompts, I get:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to REDACTED.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/nuntz.com/fullchain.pem. Your cert will
   expire on 2017-02-23. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Setting Up Auto Renewals

Add the following entry to root's crontab (we will run it daily):

37 5 * * * /usr/bin/letsencrypt renew && service nginx restart

Strengthening the Diffie-Hellman Group

Based on this article; run:

$ sudo openssl dhparam -out /etc/ssl/private/dhparams.pem 2048

Configuring NGINX

The configuration file:

# nuntz.com  server configuration
#
server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name nuntz.com;

        ssl_certificate /etc/letsencrypt/live/nuntz.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/nuntz.com/privkey.pem;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;

    ssl_dhparam /etc/ssl/private/dhparams.pem;

    root /var/www/html;

    index index.html;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

}

server {
    listen 80;
    server_name nuntz.com;
    return 301 https://$host$request_uri;
}