[Ubuntu 16.04] Let's Encrypt for Nginx including IPv6, HTTP/2

Clara - VPS Hosting Team

Let’s Encrypt is a free, automated, and open certificate authority (CA) managed by the Internet Security Research Group (ISRG). It provides certificates to secure your websites at no cost.

In this tutorial, you’ll learn how to use Let’s Encrypt certificates to enhance the security of your site. This guide is based on the "Ubuntu 16.04" template with the LEMP stack installed.

We’ll be configuring a domain named mydomain.com, with HTML served from /var/www/html and challenges from /var/www/letsencrypt.

Before you begin: Ensure that mydomain.com is properly pointed to your server with an A type DNS record. This record maps your domain to your server’s public IP address, which is necessary for Let’s Encrypt to verify your domain ownership. For our setup, make sure both mydomain.com and www.mydomain.com are correctly set up in your DNS records.

1. Preparing Nginx for Let’s Encrypt Certificate

Create a configuration file at /etc/nginx/snippets/letsencrypt.conf with the following content:

location ^~ /.well-known/acme-challenge/ {
         default_type "text/plain";
         root /var/www/letsencrypt;
     }

Create a file at /etc/nginx/snippets/ssl.conf with the following settings:

     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
     
     ssl_protocols TLSv1.2;
     ssl_ciphers EECDH+AESGCM:EECDH+AES;
     ssl_ecdh_curve secp384r1;
     ssl_prefer_server_ciphers on;
     
     ssl_stapling on;
     ssl_stapling_verify on;

     add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
     add_header X-Frame-Options DENY;
     add_header X-Content-Type-Options nosniff;

Create the directory for handling challenges by running:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Create a file at /etc/nginx/sites-available/mydomain.conf with the following content:

server {
         listen 80 default_server;
         listen [::]:80 default_server ipv6only=on;
          server_name mydomain.com www.mydomain.com;
     
         include /etc/nginx/snippets/letsencrypt.conf;
     
         root /var/www/html;
         index index.html;
     
         location / {
             try_files $uri $uri/ =404;
         }
     }

First, remove the default site configuration:

rm /etc/nginx/sites-enabled/default
Then, create a symbolic link to enable your site:

ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf
Finally, reload Nginx to apply the changes:

systemctl reload nginx

2. Install and Use Certbot

Install the necessary package:

apt-get install software-properties-common

2. Add the Certbot PPA:

 `add-apt-repository ppa:certbot/certbot`

Update your package list:

apt-get update
Install Certbot:

apt-get install certbot
Request a certificate:

certbot certonly --webroot --agree-tos --no-eff-email --email YOUR@EMAIL.COM -w /var/www/letsencrypt -d www.domain.com -d domain.com

3. Configure Nginx for HTTPS

Edit /etc/nginx/sites-available/mydomain.conf to switch to HTTPS:

1. Redirect HTTP to HTTPS:

server {
    listen 80;
    listen [::]:80;
    server_name mydomain.com;

    include /etc/nginx/snippets/letsencrypt.conf;

    location / {
        return 301 https://mydomain.com$request_uri;
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    server_name www.mydomain.com;

    include /etc/nginx/snippets/letsencrypt.conf;

    location / {
        return 301 https://www.mydomain.com$request_uri;
    }
}

2. Redirect non-www to www:

     server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mydomain.com;

    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    location / {
        return 301 https://www.mydomain.com$request_uri;
    }
}

3. Serve HTTPS for www.mydomain.com:

     server {
    server_name www.mydomain.com;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server ipv6only=on;

    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    root /var/www/mydomain;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

4. Reload Nginx:

 `systemctl reload nginx`

Step 4: Set Up Automatic Certificate Renewal

Test renewal process:

certbot renew --dry-run
Create a script for Nginx reload:

echo -e '#!/bin/bash\nsystemctl reload nginx' > /root/letsencrypt.sh
chmod +x /root/letsencrypt.sh
Add a cron job:

crontab -e
Add the following line to run renewal daily:

20 3 * * * certbot renew --noninteractive --renew-hook /root/letsencrypt.sh

Your website should now be accessible securely at https://www.mydomain.com!.