So on Sunday I finished moving my site over to Digital Ocean as mentioned in an earlier blog post, I just wanted to quickly make this small post to go over what I did to set up Let’s Encrypt with Nginx and some other options I set up which could be handy.
I mostly followed the steps which can be found on the Nginx site, It mostly comes down to clone the Let’s Encrypt repository and manually set up a config file then run the command and add the certs to the Nginx config file, reload the settings then set up a cron job to automatically renew the certificate.
The part I want to focus on is the missing steps to make sure you don’t allow any weaker ciphers or in some cases with older systems SSL3. Before we do that though we need to generate a new 2048bit key that we can use for Perfect Forward Secrecy instead of the default 1024 bit key.
sudo openssl dhparam -outform pem -out /etc/nginx/dhkey2048.pem 2048
Now that has generated we can start editing /etc/nginx/nginx.conf to change some of the SSL options. The first thing to do is locate ssl_protocols and make sure it doesn’t contain SSLv3 from a new install that line will look like this:
ssl_protocols TLSv1 TLSv1.1 TLS1.2; # Dropping SSLv3, ref: POODLE
The next part to work on is the Ciphers we want to allow, Rather than allow everything we are going to drop support for low security ciphers, insecure algorithms like MD5, RC4 and SHA1 and also drop support for ciphers that are not really used just incase a new issue pops up.
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
Now lets setup that key we made earlier for Perfect Forward Secrecy
That is it you can now save and exit the file and check that the changes are valid and then reload the config by running:
sudo nginx -t sudo nginx -s reload
The last thing we are going to want to do is enable HSTS which will tell browsers to never bother making an HTTP connection again which is what we want and it will even allow us to get on the preload list that ships with browsers so they automatically know to use HTTPS. Open your sites config file under /etc/nginx/sites-available/ and under the ssl_certificate lines just add in:
add_header Strict-Transport-Security "max-age=31536000 includeSubDomains; preload";
Follow the steps above to test the config and reload Nginx and you should be good to go, Now if you want you can go and run the Qualys SSL Checker to see how your configuration holds up.