Auto Generate Authority Signed Free SSL Certificates | HTTPS | Nginx

Well, there are a number of SSL Certification Authorities but all of them charges yearly fees for certificates they provide. I feel bad because, they are like middle-men do nothing but sign your certificates. But, if you don’t want to pay them you can get signed certificates from letsencrypt.org.

Procedure

For Ubuntu 16.04

You will need to install a software which will prompt you to enter your site’s details and generate certificates.

$ sudo apt-get install letsencrypt

then, you need to execute the following commands

$ letsencrypt certonly --webroot -w /[path/to/rails/public/dir] -d example.com -d www.example.com -w

It will ask you your email address, so that you can recover your creds if you lose them. It will generate the signed certificate and key-chain files in `/etc/letsencrypt/live/example.com/`

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
 expire on 2017-06-14. To obtain a new version of the certificate in
 the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Files will be like

$ sudo ls /etc/letsencrypt/live/example.com/
cert.pem chain.pem fullchain.pem privkey.pem

Redirecting HTTP requests to HTTPS

If your site has moved from HTTP to HTTPS then you might want to redirect your users to the safe version of your site. For that purpose you will need to have two separate server blocks in nginx‘s configurations. like

# Note: this conf file is for Rails application with Puma server
upstream app {
 # Path to Puma SOCK file, as defined previously
 server unix:///var/www/example.com/production/shared/tmp/sockets/puma.sock fail_timeout=0;
}


server {
 listen 80 default_server;
 listen [::]:80 default_server 
 ipv6only=on;
 server_name example.com;
 return 301 https://$host$request_uri;
}


server {
 listen 443 ssl;
 server_name example.com;
 root /var/www/example.com/production/current/public;
 try_files $uri/index.html $uri @app;
 ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

 location @app {
   proxy_pass http://app;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header Host $http_host;
   proxy_redirect off;
 }

 error_page 500 502 503 504 /500.html;
 client_max_body_size 4G;
 keepalive_timeout 10;
}

Renewal of Certificate every after 90 days

The certificates are signed only for 90 days, so it is recommended to create a cron job to invoke the renewal command every month.

# Open the cron-tab config in "nano" or anyother text-editor of your choicesudo crontab -e

# add the following to the config
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
# and save it

 

FAQ

Android and Mac browsers do not support HTTPS

-> well in that case make sure you are using fullchain.pem instead of cert.pem

Sources:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

https://certbot.eff.org/#ubuntuxenial-nginx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s