How to enable https of your websites with Let's Encrypt CA via nginx

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let's Encrypt is a CA, the most famous free CA.
https://letsencrypt.org/getting-started/


First let's geting started to obtain a CA from Let's Encrypt.
sudo certbot certonly --standalone  -w /home/errong_leng/local/nginx/ce
rts -d errong.win -d www.errong.win -d freevpn.errong.win -d blog.errong.win
You should replace with your own server domain name. 

errong_leng@blogvpn:~/local/nginx/certs$ sudo certbot certonly --standalone  -w /home/errong_leng/local/nginx/ce
rts -d errong.win -d www.errong.win -d freevpn.errong.win -d blog.errong.win
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for errong.win
tls-sni-01 challenge for www.errong.win
tls-sni-01 challenge for freevpn.errong.win
tls-sni-01 challenge for blog.errong.win
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
  result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/errong.win/fullchain.pem. Your cert will
   expire on 2017-08-16. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

OK. Now we have our certificates.
errong_leng@blogvpn:~/local/nginx$ sudo ls -all /etc/letsencrypt/live/errong.win
total 12
drwxr-xr-x 2 root root 4096 May 18 03:39 .
drwx------ 3 root root 4096 May 18 03:39 ..
lrwxrwxrwx 1 root root   34 May 18 03:39 cert.pem -> ../../archive/errong.win/cert1.pem
lrwxrwxrwx 1 root root   35 May 18 03:39 chain.pem -> ../../archive/errong.win/chain1.pem
lrwxrwxrwx 1 root root   39 May 18 03:39 fullchain.pem -> ../../archive/errong.win/fullchain1.pem
lrwxrwxrwx 1 root root   37 May 18 03:39 privkey.pem -> ../../archive/errong.win/privkey1.pem
-rw-r--r-- 1 root root  543 May 18 03:39 README


errong_leng@blogvpn:~/local/nginx$ sudo cat /etc/letsencrypt/live/errong.win/README
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

Now, Let's config nginx with the new certificates.
    server {
        listen       443 ssl;

        ssl_certificate      /etc/letsencrypt/live/errong.win/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/errong.win/privkey.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


        listen       80;
        server_name  ~^(.+)?\.errong\.win$;
        if ($host = errong.win) {
            rewrite ^ http://www.errong.win permanent;
        }

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   vhosts/$1;
            index  index.html index.htm;
        }
    }

Remember reload your nginx server 
sudo sbin/nginx -s reload 

As you can see, all websites have a safety security lock, the little green lock.
https://www.errong.win https://blog.errong.win https://freevpn.errong.win






  

Comments

Popular posts from this blog

How to fix error : no module named sendgrid when try to use sendgrid python lib in PHP.

react-native run-android : sun.security.provider.cert path.SunCertPathBuilderException : unable to find valid certification path to req uested target

react-native run-android : do not build/update modified code(App.js)