An while back I have written the post off how you can install php7 with nginx on an VPS server to have very good performance, you can find it here: WordPress Hosting – Install PHP7, Nginx and Virtualmin on CentOS 7.2 .
In this article I would continue the series and show how you can use let’s encrypt to have an running HTTPS website for free with an valid certificate signed by an CA.
Let’s encrypt is an free Certificate Authority that will generate an certificate for your domain and help in having your site running on HTTPS. Haveing your site running on HTTPS has more benefits like:
I have started from How To Secure Nginx with Let’s Encrypt on CentOS 7 but this are not the exact configurations when you are using Virtualmin and Nginx to host multiple sites. In this article I would go thru the all steps that I have done to have bitdoze.org running on the HTTPS.
As mentioned in the article from digitalocean the let’s encrypt client would need to be installed, the exacts steps mentioned also there would need to be followed:
Install Git and Bc
yum -y install git bc
Clone Let’s Encrypt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Now you will have /opt/letsencrypt the encyption tool need to generate the certificate.
You have already NGINX installed as part off the previous tutorial, what remains to be done is to get the certificate. Before doing so some configurations would need to be done on nginx
Add well-know on the domain
You will need to open the /etc/nginx/nginx.conf and add the below code under the domain you want to run on HTTPS:
location ^~ /.well-known/ {
allow all;
}
If is not clear where the code should be added just check the snapshot from the end of the article with the complete configs.
Restart Nginx
For the configuration to be acive NGINX would need to be restarted
sudo systemctl restart nginx
This needs to be done as the Let’s Encypt will use the http://domain.com/.well-known to create the certificate.
Generate the certificate
Next action would be to have the certificate created for your domain. To do so you will need the root path where the files for sites exists for me is: /home/bitdoze.org/public_html
Next you would need to run:
cd /opt/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path=/home/bitdoze.org/public_html -d bitdoze.org -d www.bitdoze.org
Next you woud be asked for the emai address and to agree and everything is ok then:
Output: IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected] - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/bitdoze.org/fullchain.pem. Your cert will expire on 2016-06-15. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now you have the certificate files, you can check:
[root@ns1 ~]# ls -ltr /etc/letsencrypt/live/bitdoze.org/ total 0 lrwxrwxrwx 1 root root 38 Mar 23 10:33 privkey.pem -> ../../archive/bitdoze.org/privkey1.pem lrwxrwxrwx 1 root root 40 Mar 23 10:33 fullchain.pem -> ../../archive/bitdoze.org/fullchain1.pem lrwxrwxrwx 1 root root 36 Mar 23 10:33 chain.pem -> ../../archive/bitdoze.org/chain1.pem lrwxrwxrwx 1 root root 35 Mar 23 10:33 cert.pem -> ../../archive/bitdoze.org/cert1.pem
Activate SSL but let also the 80:
listen 104.236.95.236; listen 443 ssl;
Add SSL certificate and new ssl_chipers
ssl on; ssl_certificate /etc/letsencrypt/live/bitdoze.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bitdoze.org/privkey.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on;
Redirect the HTTP to HTTPS:
# force https-redirects
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
Restart Nginx
sudo systemctl restart nginx
For an complete picture off how my server looks check:
server {
server_name bitdoze.org www.bitdoze.org;
listen 104.236.95.236;
listen 443 ssl;
root /home/bitdoze.org/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/bitdoze.org_access_log;
error_log /var/log/virtualmin/bitdoze.org_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/bitdoze.org/public_html$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/bitdoze.org/public_html;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/php-nginx/14569991303968.sock/socket;
}
location ^~ /.well-known/ {
allow all;
}
location / {
include /etc/nginx/drconf/wpsecure.conf;
include /etc/nginx/drconf/wpnocache.conf;
try_files $uri $uri/ /index.php?q=$request_uri;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/bitdoze.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bitdoze.org/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# force https-redirects
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
You will need to edit the wp-config.php file and add:
define('FORCE_SSL_ADMIN', true);
define('WP_HOME','https://www.bitdoze.org');
define('WP_SITEURL','https://www.bitdoze.org');
You just replace my site with your site.
The certificate is expiring at 90 days you will need to renew it. To do so you need to run:
/opt/letsencrypt/letsencrypt-auto renew
To make the process automatic you need to add an script in crontab:
sudo crontab -e
Add the script you can run it every week or when you want for every week:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /usr/bin/systemctl reload nginx