How To Setup SSL With LetsEncrypt for Linux & Windows
LetsEncrypt is a great free alternative to paid SSL certs, in this guide Security Engineer @zuphzuph shows you how to set it up for Linux and Windows.
I work with both front end stacks, so I figured I'd write a simple and straight forward guide on how to securely encrypt your web application front ends with HTTPS. This tool and service is entirely free and could save you an immense amount on SSL renewals through a hosting provider.
Setting up LetsEncrypt for Debian/Nginx Stack:
(domain.com used for example)
Download git to clone the repo for LetsEncrypt:
yum install git
Clone the repo and save locally:
git clone https://github.com/letsencrypt/letsencrypt
Change directory and exec to Install LetsEncrypt on your host:
cd ./letsencrypt letsencrypt-auto --help
Install cert to root domain with no sub:
letsencrypt certonly -d domain.com
Add subs domains if any using:
letsencrypt-auto certonly -d domain.com -d sub.domain.com
When prompted, enter your email for emergencies and recoveries. Then read the ToS and accept to use the service if you agree.
Your certificate will then be created. The directory housing the cert should be:
/etc/letsencrypt/live/domain.com/fullchain.pem
Let's add the certificate into your Nginx .conf so traffic is routed and encrypted by default for visitors.
This example uses a fresh host. If you're already running a stack with a Nginx .conf just mock to the default.
nano /etc/nginx/conf.d/example.conf
This file should be empty and nano should create/name accordingly. Add the following into your new blank file:
listen 80;
listen 443 ssl;
server_name domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:(Local Port to Forward Externally to 80/443);
}
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
Press CTRL+X to output and confirm the file name to save.
This config routes all http to https and presents that nifty green lock icon via chrome.
Start Nginx using:
systemctl start nginx
To check Nginx status:
systemctl status nginx
If you recieve any errors at this point use:
sudo service start nginx -v
(This points out any faults or misconfigurations in your config.)
To set nginx to start @ boot/reboots enter:
systemctl enable nginx
(Ignore this next part if you've already setup the firewall to allow 80/443 traffic.)
If you haven't yet allowed traffic enter:
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --reload
To ensure automated renewal ensure you have a LetsEncrypt cron job within /etc/cron.d/certbot:
cd /etc/cron.d/certbot 43 6 * * * certbot renew --post-hook "systemctl reload nginx"
If you want this to renew daily, weekly or even montly calculate the cron using: https://crontab.guru/
Setting up LetsEncrypt for Windows/IIS Stack:
Download the latest release using: https://github.com/PKISharp/win-acme/releases
This tool is designed to be executed from your IIS host you wish to assign SSL to.
Unzip to a directory of your choosing. It's often easiest under a C:\Dir since we'll be using cmd to execute the tool in order to install certs for our hostnames.
Open cmd prompt and execture the letsencrypt.exe within the directory:
cd to C:\Dir and type letsencrypt.exe
This opens a console with options for you to chose from.
Since we're starting from scratch we'll choose option 'M' which creates a new certificate with advanced options. You'll want to select '1' to manually input hostnames for the certificate you're creating. Seperate each with a simple, for using the same cert with multiple names.
You're then presented with options for validating the cert. For this example I'm using the recommend option '4' (Self-hosts the verification files)
Select option '1' (Do not run any installation steps) and enter in your email and accept the ToS if you agree.
If the hostnames entered match IIS bindings you should not be set to roll! Verify your IIS site bindings and ensure you're accepting 443!
You should also consider using the tool to schedule renewals or revoke certs if/as needed.
I hope this guide helps you out! If you enjoyed the content please let me know! You can find me on twitter if you have any questions: https://twitter.com/zuphzuph/