Enable HTTPS for All Virtual Hosts on Nginx – For Free

This article shows you how to enable HTTPS for all your virtual hosts on a dedicated Nginx server. At the time of writing, certbot is still a beta software and Let’s Encrypt is at its early release. The method describes here is a cost effective way to enable encryption on your personal server. I don't recommend that you use it on your production server. The softwares may contain bugs and security vulnerabilities, use them at your own discretion.

Please note that Ubuntu 14.04 is used in this guide. The file paths used here may be different on other flavor of Linux. This guide is loosely based on How To Secure Nginx with Let's Encrypt on Ubuntu 14.04.

Insall certbot-auto

Prepare Nginx Server

Update the default site's configuration file. This file is typically located at /etc/nginx/sites-enabled/default. You only need to add the location ~ /.well-known config block. This change allows Let's Encrypt CA to exchange information via your virtual host's domain name (see).

Generate Certificates

Use Diffie-Hellman group to toughen the encryption.

Put the configurations below in /etc/nginx/include/diffie-hellman. If the directory does not exist, create it first: sudo mkdir /etc/nginx/include.

Generate certificates for your virtual host.

To generate certificates for another virtual host, just repeat the above step.

Update Virtual Host Configuration File

For each virtual host, add the following configurations. Make sure ssl_certificate and ssl_certificate_key are pointing to the correct key files.

Reload Nginx. HTTPS should now be enabled on your sites.

Go to https://www.ssllabs.com/ssltest to check how strong the encryption is.

Setup Auto Renewal

The certificates are relatively short-lived. They are valid for 90 days upon issuance. It is recommended to setup a cron job to renew the certificates.

Troubleshoot

If you are running into issues, please make sure that files under .well-known/* are accessible from your virtual host's domain name. To verify this, create a test file in <document root to virtual host>/.well-known/test.html, you should be able to access the file from http://<virtual host's domain name>/.well-known/test.html. If are you not able to, it means there is something wrong with your Nginx configurations.

References

Leave a Reply

Your email address will not be published. Required fields are marked *