How to Install (Free) SSL Easily for Your Website
SSL is an essential of a properly configured website. But it can be a pain to find and install the right cert. Follow this how-to to turn a headache into a has-been problem.
Join the DZone community and get the full member experience.Join For Free
Due to my webhost taking a huge nose dive, I had to scramble to find new hosting. In doing so, I explored SSL solutions and a friend suggested Let’s Encrypt. I liked the experience so much I thought I’d share it.
So my old host (unnamed) just imploded. What started as a nice little company with fast servers and great support, got bought out. The new company did what many big companies tend to do, which is cut costs and lower the quality of the product. They did this by giving us all a "server upgrade" which turned out to be a terrible service. The traffic from my site was crashing the cheap server quite frequently. I would call and get no answer, and emails were answered by outsourced support personnel who were just copying and pasting text into emails to me. Three years of solid service vanished overnight.
So, I needed to move my site fast, and since I have SSL and all my pages are spidered in Google with SSL, it would be wise to continue using it. I didn’t want to even attempt to ask these support people to export my cert to move it here so I started looking at options. So I looked at LetsEncrypt. Since I moved my site to a nice new Linux server I knew this would be an option for me, and decided to give it a try.
How to Install Free SSL/TLS
So I had my nice little NginX server set up and all I had to do was the following:
And that created my certs. I wanted to strengthen things up a bit, and I’ll show what I did
Generate Strong Diffie-Hellman Group
To generate a strong Diffie-Hellman group, I ran the following command:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Note the location of the cert, I’ll be adding that to my default config. Here is everything I added to it:
listen [::]:443 default_server; listen 443 ssl default_server; server_name www.jeremymorgan.com jeremymorgan.com; ssl_certificate /etc/letsencrypt/live/jeremymorgan.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jeremymorgan.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/jeremymorgan.com/chain.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000;
After that, save the file and restart NGINX:
sudo service nginx reload
Is that it? Yes, that really is it.
Now I have a nice little green lock there. Not much different than the last cert I had:
Not too bad huh?
I shared this so you can see exactly how easy it is to use LetsEncrypt to set up free SSL certs for your site. The aim of this project is to encrypt everything, which is a fantastic idea.
What do you think? Share it in the comments.
Published at DZone with permission of Jeremy Morgan, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.