Raju Ginni

wordpress tutorials seo hosting etc

You are here: Home / nginx server tutorials (installation, configuration, performance tuning, security) / Letsencrypt SSL Installation on apache/Nginx ubuntu / debian wordpress

Letsencrypt SSL Installation on apache/Nginx ubuntu / debian wordpress

SSL Installation on Nginx &  apache2 server on Ubuntu & Debian with letsencrypt. automatic and manual renew for WordPress sites and other configurations etc.
Note: Article may confuse, But try to catch the required info. if not found please comment.
table of content:
Installing letsenctrypt in nginx
renewing letsincrypt in nginx
letsentrypt and clouflare configuration
replacing lets encrypt with Cloudflare origin ssl
lets encrypt with apache2
Note:
Cloudflare should turn off while issuing or renewing certificates. no automatic renewals done if cloudflare active.
You can also use cloudflare certificates at our server level, by downloading from cloudflare and uploading to our server benefit: no renewal,
mycase: i need to manage multiple domains so i thought letsencrypt should be easy.
Installing summary
  1. install certbot
  2. creating Web Directory  for ACME challenges (crete at server folder symlink for every domain)*
  3. issuing certificate automation webroot >>apache . nginx plugin for nginx
  4.  setup auto renewal or renew before 30 days of the domain expire.
part 2: may confuse you in case of multiple domains.

Step 2 install SSL on shared IP Cpanel

We have to upload SSL certificate to a shared server using. following steps

Cpanel>>Security>>TLS/SSL Certificates>> Upload.

Upload the SSL certificate from SSL provider.

 

Step 1. Generating SSL & download from provider Buy SSL and then click setup you will ask you to select domains hosted with GoDaddy,

CSR Generation You can generate a Certificate Signing Request (CSR) from your server by using the server’s software. Your CSR contains a public key that matches the private key generated at the same time.

HTML verification: after ask you to upload a file with unique id sent to your email
Rename file as .html with the code also place unique within that HTML file and now verify
1.Verify domain ownership.
2 emails for verification
1 is HTML file upload and another is final approval
we have to wait 5-10 minutes.

 

Don’t revoke The SSL at any cost( it not reusable once it revoked)

Migrating SSL Certificate from another Server

SSL Dashboard>> manage>> Rekey>> Enter CSR Informtion>> Download Certifcate>>Enter Private key (enocded in cpanel).

I just installed on Cpanel from GoDaddy WordPress managed Hosting.

301 Redirect SSL From WordPress

  1. Change wordpress installed directory  from WordPress General settings>>Site name https to http://version
  2. Remove  define(‘FORCE_SSL_LOGIN’, true);
    define(‘FORCE_SSL_ADMIN’, true);
  3. /* That’s all, stop editing! Happy blogging. */
WordPress General settings>>Site name https to http://version
Site Address (wordpress installed URL)

Http to https 301 Redirection 

 

Nginx:

your hostfile.conf generally at /etc/nginx/sites-enabled/

server {
listen 80;

server_name yourwebsite.com www.yourwebsite.com;

return 301 https://yourwebsite.com$request_uri;
}

server {
listen 443 ;

server_name yourwebsite.com www.yourwebsite.com;

#document root

#ssl filespath

#php config

}

 

 

Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} ^443$ [OR]
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
or
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
or
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^domain\.com$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R,L]
USE Replace plugin to change https:// to http:// internal links.
contact host support. Don’t Revoke SSL Certificate.
redirect https to http without certificate
Not Possible uninstall you buy or use Existing SSL certificate.
Comodo SSL Certifcte starts from $10 / Year.
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
Note: Don;t Revoke SSL (You unable to reaccess, to you have to  buy new SSL.)
Reasons: backlinks for HTTP & https different & google treats HTTP & https as different domains. resources intensive, external link issues. (not suitable or static content website),
Also, slows down the website. there is a bandwidth different.

you might have added HTTPS to the URL. For example; https://yoursite.com instead of http://yoursite.com

Add these lines to your wp-config.php

define(‘WP_HOME’,’http://example.com’);
define(‘WP_SITEURL’,’http://example.com’);

Add these lines just before:

/* That’s all, stop editing! Happy blogging. */

define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

https://www.youtube.com/watch?v=WudTb454GVw
https to http redirect htaccess
# BEGIN SSL
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^tspscjobs\.co\.in$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security “max-age=300”
</IfModule>
# END SSL
or
Options +FollowSymlinks
RewriteEngine on
RewriteBase /RewriteCond %{SERVER_PORT} !^443$RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
not works
if you are going uninstall https.

install SSL certificate apache Debian /ubuntu /centos

 

Apache SSL install mod

sudo apt-get install mod_ssl

enable ssl

sudo a2enmod ssl

Disable
sudo a2dismod ssl

Note: After enabling SSL module port 80 refuse connections .

<IfModule ssl_module>
Listen 443
</IfModule>

Upload files to etc/ssl/  Make SSL Read by Root only.

Configure the virtual host file with SSL PORT 443

 

<VirtualHost yourdomain:

443

>
DocumentRoot /var/www/html
ServerName www.yourdomain.com

SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost>

Generally, we use port 80 http instead of port 443 SSL port https.

 

Test your Apache configuration (apachectl configtest)  before restarting the server avoids Downtime on production sites.

 

Let’s encrypt install on apache2.4 ubuntu 16.06 18.04

 

  1. Enable ssl mod

 

1. Install cetboot

sudo apt update && sudo apt install certbot

Making directory for Letesenty verification ACEME challenges

2. mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Chown -R www-data:www-data /var/www/letsencrypt/

Chmod -R -755  /var/www/letsencrypt/

3. Creating Apache virtual Host

 

nano /etc/apache2/sites-available/yourdomain.com.conf

 

<VirtualHost *:80>
ServerAdmin admin@email.com
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com
<Directory /var/www/yourdomain.com/>
Options Indexes FollowSymLinks MultiViews
Options All
AllowOverride All
Require all granted
</Directory>
Alias /.well-known/acme-challenge/ “/var/www/letsencrypt/.well-known/acme-challenge/”
<Directory “/var/www/letsencrypt/”>
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
</VirtualHost>

 

enabling

Symbolic link

sudo lns /etc/apache2/sites-available/yourdomain.com.conf nano /etc/apache2/sites-enabled/yourdomain.com.conf

sudo a2enconf yourdomain.com.conf

 

4. Reload the server to effect changes

 

sudo service apache2 reload

 5. Generating SSL Certificates for  Domain

sudo certbot certonly –agree-tos –email admin@yourdomain.com –webroot -w /var/lib/letsencrypt/ -d yourdomain.com -d www.yourdomain.com

6.Mapping certificates to Your domain in Virtual host

 

<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com

Redirect permanent / https://yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
ServerAdmin admin@email.com
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
<Directory /var/www/yourdomain.com/>
Options Indexes FollowSymLinks MultiViews
Options All
AllowOverride All
Require all granted
</Directory>
Alias /.well-known/acme-challenge/ “/var/www/letsencrypt/.well-known/acme-challenge/”
<Directory “/var/www/letsencrypt/”>
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
</VirtualHost>

 

6.1 SSL Configurations for Speed

nano /etc/apache2/conf-available/ssl-params.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
SSLSessionTickets Off

enable above configuration

sudo a2enconf ssl-params

 

 

7. check config errors & reload the Server

sudo apachectl configtest && Sudo Service apache2 reload

 

Renewal of Letsencrypt SSL manual & Automatically

certificate validity : 30 months

Renewal: occurs withing 30 days of expiry.

 

checking certificates for expiry

sudo certbot renew –dry-run

renewing certificate name

certbot renew –cert-name rajuginni.com

 

Deleting Certificate

certbot delete –cert-name rajuginni.com

where to install SSL certificates in apache.

 

SSL Required for HTTP2 protocol

why http2

  1. only 1 request to download all css,js,HTML files
  2. compress headers
  3. server push

 

SSL installation on nginx

 

  1. create a folder in /etc/nginx/ssl or etc/ssl/
  2. upload private key and certificate files.
  3. add the path to the files in server block for the domain (vhost in Apache terms)

server {
listen 80;
listen 443;ssl on http2;
ssl_certificate /path/to/your_certificate.pem;
ssl_certificate_key /path/to/your_key.key;server_name your.domain.com;location / {
root /home/www/public_html/
index index.php index.html;

#php fpm configuration goes here //in case of wordpress
}

}

  1. reload /restart the server

nginx -s reload

or

service nginx restart

 

 

Letsencrypt installation on Nginx server Ubuntu & Debian

 

1. Install cetboot

sudo apt update && sudo apt install certbot

Making directory for Letesenty verification ACEME challenges

2. mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Chown -R www-data:www-data /var/www/letsencrypt/

Chmod -R -755  /var/www/letsencrypt/

 

creating file

nano  /etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
default_type “text/plain”;
root /var/www/letsencrypt;
}

sudo certbot –nginx -d rajuginni.com -d www.rajuginni.com

 

nano /etc/nginx/sites-enabled/rajuginni.com

include /etc/nginx/snippets/letsencrypt.conf;

nginx -s reload

Generating SSL

certbot certonly –webroot –agree-tos –no-eff-email –email getluckybyme@email.com -w /var/www/letsencrypt -d rajuginni.com -d www.rajuginni.com

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rajuginni.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rajuginni.com/privkey.pem

nano /etc/nginx/sites-enabled/rajuginni.com

server { listen 80;
server_name rajuginni.com rajuginni.com;
location / {
  return 301 https://rajuginni.com$request_uri;
}
server {
listen 443;
root /var/www/html/rajuginni.com/;
index index.php index.html index.htm; // you can add it to nginx.conf once for whole server
server_name rajuginni.com www.rajuginni.com;
include /etc/nginx/conf.d/ssl.config; //ssl config here
ssl_certificate /etc/letsencrypt/live/rajuginni.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rajuginni.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rajuginni.com/fullchain.pem;
include /etc/nginx/conf.d/global.config;  //php -fpm goes here.}

 

nginx -s reload

renewing lectsencrypt on nginx

sudo certbot –nginx

then select a domain to issue or reissue certificate with 3 months validity  manually.

Note: lects encyrpt renews automatically with cron jobs. but in some cases like, if you are using Cloudflare as a reverse proxy. then letsencrypt unable verify the ip adress of your host. in that case you need manual process.

migrating letsencrypt ssl to new server

no works, you need issued new ssl,

SSL configuration file

 

nano /etc/nginx/conf.d/ssl.config;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security “max-age=15768000; includeSubdomains; preload”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

 

 

enabling http2 in nginx & apache2

download apache2 HTTP module & enable same applies to nginx.

 

you can check HTTP v2 module is there or not nginx by

nginx -V

if yes you just need to add http2 in server block.

Automatic SSL /Lets encrypt renewal using Cron jobs

nano /etc/cron.d/certbot
//if cron directory not exists then create , add command to file by a editor or issue direct command .
how to set cron job in linux server step by step
crontab -e //edit existing
crontab -l //list
crontab -r // removes all for user.
/etc/crontab //default directory
/etc/cron.d/ //directory
/etc/cron.monthly/ // monthly directory
cron command is known as crontab
apache
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew –renew-hook “systemctl reload apache2
// it runs two times in a day
Nginx
0 0 1 1,3,5,7,9,11 1 /path/to/certbot renew –quiet 5 0 1 1,3,5,7,9,11 1 service nginx reload
 //runs once in 2 months
cron job explanation

MIN HOUR DOM MON DOW CMD
Crontab Fields and Allowed Ranges (Linux Crontab Syntax)

Field Description Allowed Value
MIN Minute field 0 to 59
HOUR Hour field 0 to 23
DOM Day of Month 1-31
MON Month field 1-12
DOW Day Of Week 0-6
CMD Command Any command to be executed.

root@instance-1:~# crontab -l
no crontab for root

Cron special keywords and its meaning

Keyword Equivalent
@yearly 0 0 1 1 *
@daily 0 0 * * *
@hourly 0 * * * *
@reboot Run at startup.

@monthly 00:00 on 1st of every month.
@yearly 00:00 on Jan 1st for every year.
0 * * * * run once an hour
0 0 * * * run once a day
0 0 1 * * run once a month
0 0 1 1 * run once a year
@monthly sudo certbot renew && sudo service nginx reload
crontab -l | { cat; echo “0 0 1 * * sudo certbot renew && sudo service nginx reload >/dev/null 2>&1”; } | crontab –
root@instance-1:~# crontab -l | { cat; echo “0 0 1 * * sudo certbot renew && sudo service nginx reload >/dev/null 2>&1”; } | crontab –
root@instance-1:~# crontab -l
0 0 1 * * sudo certbot renew && sudo service nginx reload >/dev/null 2>&1

ssl expires within in 3 months,  at least run once in weekly /monthly depends on domains to expire.