Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to install a letsencrypt cert with nginx?

Tags:

nginx

ssl

lets-encrypt

I've used letsencrypt to install an SSL cert for the latest nginx on ubuntu. The setup is fine and works great with the exception of:

enter image description here

I don't know enough about SSL to know what's going on but I have a suspicion: I installed the SSL cert for Apache a while back and just now moved to Nginx for it's http/2 support. As the nginx plugin is not stable yet I had to install the cert myself and this is what I did:

In my nginx config (/etc/nginx/conf/default.conf) I added:

server {
    listen       80;
    server_name  [domain];
    return 301   https://$host$request_uri;
}

server {
    listen       443 http2;
    listen       [::]:443 http2;
    server_name  [domain];

    ssl on;
    ssl_certificate /etc/letsencrypt/live/[domain]/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
}

Is it possible that this breaks the chain somehow? What is the proper way here?

Thanks guys

like image 784
Dominik Avatar asked Nov 15 '25 01:11

Dominik

1 Answers

1) For strong Diffie-Hellman and avoid Logjam attacks see this great manual.

You need extend your nginx config with these directives (after you will generate dhparams.pem file):

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;

2) For correct certificate chain use fullchain.pem, not cert.pem, see this great tutorial for details.

And you will get A grade :)

3) and as bonus try this great service:

"Generate Mozilla Security Recommended Web Server Configuration Files".

like image 162
Aleksey Deryagin Avatar answered Nov 17 '25 20:11

Aleksey Deryagin
Sign in to Comment

Related questions

BouncyCastle JSSE and BCTLS No Credentials for Cipher

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!