Supun Budhajeewa's Blog

Assigning SSL using Let’s Encrypt to Websites Running in LXCs

Let’s Encrypt is a great service that provide SSL Certificates free of charge. It intends to make more data transferred through the WWW secure.

This assumes websites running in LXCs, to which HTTP requests are reverse proxyed to using NGINX, as described in Hosting Multiple Applications in a Server, with Linux Containers (LXC).

Install the Let’s Encrypt Certificate Generator

sudo apt install letsencrypt

Stop NGINX Temporarily

Let’s Encrypt Certificate Generator won’t run while other software listens to port 80, so we have to temporarily stop NGINX.

sudo service nginx stop

If you do not stop NGNIX, you’ll see an error like this down the road:

Create SSL Certificate

Issue the following command:

letsencrypt certonly

If you’re running this for the first time, it’ll ask for your email address.

It’ll also notify you about Terms of Services, if this is the first time you run letsencrypt tool.

And then you’ll be able to enter the domain(s) you wish to use this SSL certificate for.

Once done, you’ll see a success message.

All your Let’s Encrypt certificate files will be saved in /etc/letsencrypt directory.

Generate Strong Diffie-Hellman Group

To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.

Configure NGINX to Use Let’s Encrypt SSL Certificate

Now that we’ve prepared all the files needed, we can configure NGINX to use SSL.

To do that, open the NGINX configuration file, which is used to reverse proxy your domain into a LXC.

For me, it’s  /etc/nginx/sites-available/com.budhajeewa.conf.

Currently, it looks like this:

server {
 listen 80;
 server_name budhajeewa.com *.budhajeewa.com;

 location / {
 proxy_pass http://10.0.3.2:80;
 proxy_set_header Host $host;
 }
}

We need to make it look like the following in order to configure it with Let’s Encrypt SSL. Changed items are in red color.

server {
 listen 443 ssl;
 server_name budhajeewa.com *.budhajeewa.com;

 ssl_certificate /etc/letsencrypt/live/budhajeewa.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/budhajeewa.com/privkey.pem;

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES1$
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_stapling on;
 ssl_stapling_verify on;
 add_header Strict-Transport-Security max-age=15768000;

 location / {
 proxy_pass http://10.0.3.2:80;
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-Ssl on;
 }
}

server {
 listen 80;
 server_name budhajeewa.com *.budhajeewa.com;
 return 301 https://$host$request_uri;
}

Finally

Restart NGINX.

service nginx restart

Now go to your browser and enter your domain. You will be redirected to HTTPS from HTTP. Yay!

References

  1. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

,

Leave a Reply

Your email address will not be published. Required fields are marked *