Let's Encrypt to the website plus HTTPS full guide Certbot

Let's Encrypt to website plus HTTPS full guide 2016

A period of time in the Beijing Unicom 3G Mobile network, found that their site was unicom hijacked injected into the disgusting charge of the phone, decided to let my website forced use of HTTPS, avoid ISP hijacking.

Some doubts before using HTTPS

It's 2016, and using HTTPS is not as expensive as it was a few years ago. Of course, I also understand a circle to eliminate their own doubts, mainly:

1. My site (a simple blog) may not be necessary to use HTTPS
2. Will HTTPS make the website slow?
3. Does HTTPS cost you money? The certificate doesn't seem cheap.
4. The cost of configuring and maintaining HTTPS is high

To answer these questions, we recommend that you take a look at Google I/O 2016 video (Youtube): mythbusting https:squashing Security's urban Legends-google I/O 2016

In the video all the questions are answered in detail, strongly push home to read the video.

I summarize briefly:

1. Each site should be HTTPS, even if it is a full static site, the same is true, carrier hijacking seriously interferes with the visitor's experience
2. There are several techniques that can improve the performance of HTTPS, including Strict Transport Security,TLS False Start and HTTP/2 , which make https slow, some Even faster when
3. HTTPS is free for the use of individual (or several) domain names
4. Configuring and maintaining HTTPS exceptions simple, let'sEncrypt This project simplifies things by automating

What are the reliable free HTTPS certificate providers?

There are 3 main considerations for choosing a certificate provider: 1. Browser and operating system support level 2. Certificate Type 3. Maintenance costs

1. Browser and operating system support level

Basically you can find the hot certificate provider, the level of support is not too bad. For example let's Encrypt support can be accessed by: which browsers and operating systems, and allow ' s Encrypt

As you can see, Android 2.3.6 or above, Firefox 2.0 or above, Windows Vista above, IOS 3.1 or above, Google Chrome full platform is supported. You don't have to worry too much about it, but it's up to you to look at your site's audience. For me, I totally don't care about Windows XP for IE users.

2. Certificate Type

The HTTPS certificate is divided into 3 classes, 1. DV Domain name Verification Certificate 2. OV Organization Verification Certificate 3. EV Enhanced organization Verification certificate. Each type of certificate in the audit and verification requirements of a different degree of rigor, the browser will be in the address bar to give different certificate display.

General personal use of DV certificate is completely enough, the browser appears as the address bar will have a small green lock. The free certificates that are discussed below are DV domain name verification certificates.

3. Maintenance costs

I have not researched much, used Startssl, now with Let's Encrypt. Startssl 's free certificate is valid for 1 years and requires manual replacement after 1 years. The configuration process is quite cumbersome.

More recommended let's Encrypt, although the validity period is only 3 months, but can be automatically renewed with Certbot, completely unaffected. And let's Encrypt because of the automation tools such as Certbot, configuration management is very easy.

Generate let ' s Encrypt certificate

Let's Encrypt certificate generation does not need to be done manually, the official recommendation Certbot this set of automated tools to achieve. 3 easy steps to take care of:

1. Download Install Certbot (let's encrypt project automation tools)
2. Creating a configuration file
3. Perform certificate automation generation commands

The following tutorials run on Arch Linux, and other operating systems are similar. You can see the corresponding installation and configuration tutorials on the Certbot website by selecting your Web Server and operating system.

1. Download and install Certbot

On Arch Linux, the installation is simple:

$ sudo pacman －Syu$ sudo pacman -S letsencrypt

2. Create a configuration file

First create the folder where the configuration files are stored:

$ sudo mkdir /etc/letsencrypt/configs

To edit a configuration file:

$ sudo vim /etc/letsencrypt/configs/example.com.conf

Replace the example.com with your own domain name, configuration file content:

# 写你的域名和邮箱domains = example.com  rsa-key-size = 2048  email = [email protected]  text = True# 把下面的路径修改为 example.com 的目录位置authenticator = webroot  webroot-path = /var/www/example  

It is necessary to explain here that the above configuration file uses the Webroot authentication method, which is suitable for a situation in which a Web Server is already running. Certbot will automatically /var/www/example create a hidden file below .well-known/acme-challenge and verify that example.com really belongs to you by requesting this file. The extranet server accesses the Http://www.example.com/.well-known/acme-challenge and verifies OK if the access is successful.

We do not need to create this file manually, Certbot will be automatically completed according to the configuration file.

3. Perform certificate automation generation commands

Everything is ready, we can now run the Certbot. (Note: Certbot is actually a Python script, the commands on different platforms will be different, for example, Certbot command on Arch Linux is Letsencrypt).

$ sudo letsencrypt -c /etc/letsencrypt/configs/example.com.conf certonly## 片刻之后，看到下面内容就是成功了IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem.

If it runs smoothly, the required certificates for all servers are already generated. They were placed under the /etc/letsencrypt/live/example.com/ following:

$ ls /etc/letsencrypt/live/example.com/cert.pem #server cert only  privkey.pem #private key  chain.pem #intermediates  fullchain.pem #server cert + intermediates  

Configuring Nginx to join a certificate

It has been successfully more than half, only need to configure Nginx to support the certificate just generated. And this configuration has the best practice to refer to, Access: Mozilla SSL configuration Generator, this is Mozilla made an HTTPS Profile auto generator, support Apache,nginx and other servers. Follow this configuration file to select intermediate compatibility. The configuration files generated here are industry best practices and results, allowing Nginx to open up a variety of parameters that add security and performance.

The default configuration file is this:

server {Listen default_server;    Listen [::]:80 default_server;    # Redirect all HTTP requests to HTTPS with a 301 Moved permanently response. Return 301 https://$host $request_uri;}    server {Listen 443 SSL http2;    Listen [::]:443 SSL HTTP2; # Certs sent to the client in SERVER HELLO is concatenated in Ssl_certificate Ssl_certificate/path/to/signed_cert_plu    S_intermediates;    Ssl_certificate_key/path/to/private_key;    Ssl_session_timeout 1d;    Ssl_session_cache shared:ssl:50m;    Ssl_session_tickets off;    # Diffie-hellman parameter for DHE ciphersuites, recommended 2048 bits SSL_DHPARAM/PATH/TO/DHPARAM.PEM; # Intermediate configuration.    Tweak to your needs.    Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ' ecdhe-ecdsa-chacha20-poly1305:ecdhe-rsa-chacha20-poly1305:ecdhe-ecdsa-aes128-gcm-sha256: Ecdhe-rsa-aes128-gcm-sha256:ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aEs128-sha256:ecdhe-rsa-aes128-sha256:ecdhe-ecdsa-aes128-sha:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha: Ecdhe-ecdsa-aes256-sha384:ecdhe-ecdsa-aes256-sha:ecdhe-rsa-aes256-sha:dhe-rsa-aes128-sha256:dhe-rsa-aes128-sha :D He-rsa-aes256-sha256:dhe-rsa-aes256-sha:ecdhe-ecdsa-des-cbc3-sha:ecdhe-rsa-des-cbc3-sha:edh-rsa-des-cbc3-sha : aes128-gcm-sha256:aes256-gcm-sha384:aes128-sha256:aes256-sha256:aes128-sha:aes256-sha:des-cbc3-sha:!    DSS ';    Ssl_prefer_server_ciphers on; # HSTS (Ngx_http_headers_module is required) (15768000 seconds = 6 months) Add_header strict-transport-security Max-age    = 15768000;    # OCSP stapling---# fetch OCSP records from the URL in Ssl_certificate and the cache them ssl_stapling on;    Ssl_stapling_verify on; # # Verify chain of trust of OCSP response using Root CA and intermediate certs Ssl_trusted_certificate/path/to/root_ca    _cert_plus_intermediates;    Resolver <ip DNS resolver>; ....}

Modify and add content to your service configuration, focusing on only 6 lines:

server {      listen 443 ssl http2;    ....    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;    ssl_dhparam /etc/nginx/ssl/dhparam.pem;    ssl_trusted_certificate /etc/letsencrypt/live/example.com/root_ca_cert_plus_intermediates;    resolver <IP DNS resolver>;    ....}

In these 6 lines, some files do not already exist and are described individually.

First, the first line listen 443 ssl http2;  of action is to enable Nginx Ngxhttpv2_module module support Http2,nginx version needs to be higher than 1.9.5, and compile-time needs to be set --with-http_v2_module . This module has been compiled in the Nginx installation package of Arch Linux and can be used directly. If the Nginx in your Linux distribution does not support this module, you can add it yourself.

ssl_certificateand ssl_certificate_key , respectively, fullchain.pem and privkey.pem , these 2 files are generated before a good certificate and key.

ssl_dhparamGenerated by the following command:

$ sudo mkdir /etc/nginx/ssl$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

(optional) you ssl_trusted_certificate need to download the Root certificates of Let's Encrypt , but according to the Nginx official documentation, ssl_certificate it is intermediates no longer necessary to provide SSL if it is already includedTRUSTEDcertificate. This step can be omitted:

$ cd /etc/letsencrypt/live/example.com$ sudo wget https://letsencrypt.org/certs/isrgrootx1.pem$ sudo mv isrgrootx1.pem root.pem$ sudo cat root.pem chain.pem > root_ca_cert_plus_intermediates

resolverThe role of "resolve names of upstream servers into addresses", in this configuration, resolver is used to resolve the OCSP server domain name, it is recommended to fill out your VPS provider's DNS servers, such as my V PN is filled in Linode,dns server:

resolver 106.187.90.5 106.187.93.5;

After the Nginx configuration is complete, after restarting, use the browser to test if everything is OK.

$ sudo systemctl restart nginx

At this point your site should be forced to use HTTPS by default, and there will be a small green lock on the left side of the browser address bar:

Automate periodic updates of certificates

Let's Encrypt certificate is valid for 3 months and we can automatically renew it through Certbot.

On Arch Linux, we perform certificate renewal tasks through SYSTEMD.

$ sudo vim /etc/systemd/system/letsencrypt.service

[Unit]Description=Let‘s Encrypt renewal[Service]Type=oneshot  ExecStart=/usr/bin/letsencrypt renew  ExecStartPost=/bin/systemctl reload nginx.service  

Then add a systemd timer to trigger this service:

$ sudo vim /etc/systemd/system/letsencrypt.timer

[Unit]Description=Monthly renewal of Let‘s Encrypt‘s certificates[Timer]OnCalendar=daily  Persistent=true[Install]WantedBy=timers.target  

To enable the service, turn on the timer:

$ sudo systemctl enable letsencrypt.service$ sudo systemctl start letsencrypt.timer

In other Linux distributions, you can use Crontab to set up scheduled tasks for yourself, Google.

Test your server SSL security with a professional online tool

Qualys SSL Labs provides comprehensive SSL security testing, filling in your website domain name, and giving your own HTTPS configuration a minute.

If you have followed the best practices in my tutorial configuration, you should have scored a + with me as well.

This means that you have HTTPS enabled, is now secure enough, and uses the latest technology to ensure performance.

Make a palm for yourself. (??????)??

Let's Encrypt to the website plus HTTPS full guide Certbot