Let’s Encrypt!
March 30, 2016

Let’s Encrypt has just released their newest intermediate certificate authority, Let’s Encrypt X3 and with that, it’s now compatible with Windows XP for users using Chrome and antique Internet Explorer. While I’ve already been delving into the system, it’s now going to be my go-to with that last minor hiccup for users who couldn’t/wouldn’t update is resolved.

So, install Let’s Encrypt:

# cd /usr/src
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt

My setup currently consists of using nginx to handle the SSL and proxying the connection to the back ends running Apache. So, I add the location block to the server block listening on port 80, to handle the letsencrypt authentication.

	location /.well-known/acme-challenge/ {
                root    /var/www;
                index   index.html;
                try_files $uri $uri/ /index.html?/$request_uri;
        }

After reloading nginx, then I run this fancy one-liner that drops the required files into that folder and generate your new certificate…

# ./letsencrypt-auto certonly --email >youremailaddress< --agree-tos --webroot -w /var/www -d mydomain.com -d www.mydomain.com

And then I can set up my SSL block in my nginx configuration…

server {
	listen 443 ssl;
	server_name mydomain.com www.mydomain.com;
  
	ssl on;

        ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;
 
	### Add SSL specific settings here ###
  
	ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	ssl_dhparam ssl/dhparams.pem;

     	keepalive_timeout    60;
	ssl_session_cache    shared:SSL:10m;
     	ssl_session_timeout  10m;

     	location / {
	        proxy_pass  http://10.0.0.2;
 
		### force timeouts if one of backend is died ##
        	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
 
		### Set headers ####
                proxy_set_header        Accept-Encoding   "";
	        proxy_set_header        Host            $host;
	        proxy_set_header        X-Real-IP       $remote_addr;
	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 
	        proxy_set_header        X-Forwarded-Proto $scheme;
		add_header              Front-End-Https   on;

		### By default we don't want to redirect it ####
	        proxy_redirect     off;
	}
}

(don’t forget to generate your dhparams.pem)

Reload nginx and you’re good to go.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>