HTTP/2 SSL Certbot for WP Multisite (Nginx/Debian8)

 

 

LetsEncrypt/Certbot First Install:

  1. Update the apt and upgrade all application.
    sudo apt-get update
    sudo apt-get upgrade
  2. Install certbot from jessie-backports repository
    sudo apt-get install certbot -t jessie-backports
  3. Check that all domain (primary domain and each multisite domain) already registered on each DNS serverFor this example:On myserverdomain.com DNS,
    A record myserverdomain.com to YourIPAddress
    CNAME www to @
    CNAME m to @

    On othersite1.com DNS,
    A record othersite1.com to YourIPAddress
    CNAME www to @

    On othersite2.com DNS,
    A record subdomain1.othersite2.com to YourIPAddress
    A record subdomain2.othersite2.com to YourIPAddress

  4. Request certbot webroot license-w = web root folder location
    -d = domain with root on previous -w, can be multipleAll SSL domains on /var/www/wordpress must be included.
    All on SSL domains that resolve to IP address will be redirect to HTTP (non encrypted) at /var/www/html.

    sudo certbot certonly --webroot -w /var/www/wordpress -d myserverdomain.com -d www.myserverdomain.com -d m.myserverdomain.com -d othersite1.com -d www.othersite1.com -d subdomain1.othersite2.com -d subdomain2.othersite2.com

     

  5. Successfull certificate registration will return following message:
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
     /etc/letsencrypt/live/myregistereddomain.com/fullchain.pem. Your cert
     will expire on 2017-01-25. To obtain a new or tweaked version of
     this certificate in the future, simply run certbot again. To
     non-interactively renew *all* of your certificates, run "certbot
     renew"
     - If you like Certbot, please consider supporting our work by:
    
    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

     

  6. Check certificate
    sudo ls -l /etc/letsencrypt/live/myserverdomain.com

    There should be 4 files:

    cert.pem: Your domain’s certificate
    chain.pem: The Let’s Encrypt chain certificate
    fullchain.pem: cert1.pem and chain1.pem combined
    privkey.pem: Your certificate’s private key

     

  7. Add dhparam for more securityCreate dhparam.pem
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    Check the result:

    cat /etc/ssl/certs/dhparam.pem

    Should shown something like this:

    -----BEGIN DH PARAMETERS-----
     (6 lines of random numbers)
     (6 lines of random numbers)
     (6 lines of random numbers)
     (6 lines of random numbers)
     (6 lines of random numbers)
     (6 lines of random numbers)
     -----END DH PARAMETERS-----
  8. Create SSL entry for Nginx settings using snippets
    sudo nano /etc/nginx/snippets/ssl-myserverdomain.com.conf

    Copy and paste (left click on Bitvise SSH console) following lines:

    ssl_certificate /etc/letsencrypt/live/myregistereddomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myregistereddomain.com/privkey.pem;

    [Control-x], [y], [Enter] to save and exit nano.

     

  9. Create general SSL parameter for Nginx settings using snippets
    This applies for all HTTPS domains.

    sudo nano /etc/nginx/snippets/ssl-params.conf

    Copy and paste (left click on Bitvise SSH console) following lines:

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now. You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    [Control-x], [y], [Enter] to save and exit nano.

  10. Edit Nginx site-available configurationBackup site-available default before editing
    sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/myserverdomain.bak
    sudo nano /etc/nginx/sites-available/myserverdomain
    server {
     listen 80 default_server;
     listen [::]:80 default_server;
     server_name myregistereddomain.com www.myregistereddomain.com;
     return 301 https://$server_name$request_uri;
     }
    
    server {
    
    # SSL configuration
    
    listen 443 ssl http2 default_server;
     listen [::]:443 ssl http2 default_server;
     include snippets/ssl-example.com.conf;
     include snippets/ssl-params.conf;

    [Control-x], [y], [Enter] to save and exit nano.

  11. Test the HTTPS connection
    sudo nginx -t
    
    sudo service nginx restart

    Browse to each HTTPS domains.

  12. Test your site ssl:

https://www.ssllabs.com/ssltest/analyze.html?d=myregistereddomain.com

The result should be like this:

ssl-server-test-by-qualys-ssl-labs

That means myregistereddomain.com already has a good encryption, no old not-secure method used. However that also means that some device using old and obsolete encryption method might be blocked from your domain.

Test certificate renewal

sudo certbot renew –dry-run

Setup auto-renewal cron

sudo crontab -e

10 1 1 * * certbot renew >> /var/log/certbot-renew.log
15 1 1 * * service nginx restart

 

Certbot/LetsEncrypt Re-Install:

  1. Update certbotsudo apt-get update
    sudo apt-get upgrade
    Forced install all certbot related packages:
    sudo apt-get install certbot python-acme python-certbot
  2. Checking current certificate
    sudo certbot certificates
  3. Prepare new domain DNS directed to server IP
  4. Backup certbot configuration on /etc/letsencrypt
    cp /etc/letsencrypt ~/letsencrypt.backup
  5. Remove existing letsencrypt cert
  6. Edit domain.conf:
    1. Add new and remove unused domain
    2. Turn off return 301 https:
      ###return 301 https://$host$request_uri;
    3. Turn on/add root & index:
      root /var/www/wordpress;
      index index.php;
    4. Turn off SSL domain & gobal includes:
      ###include snippets/ssl-domain.com.conf
      ###include snippets/ssl-params.conf
    5. Restart the web server:
      sudo service nginx reload
  7. Request new certificate
    sudo certbot certonly --webroot -w /var/www/wordpress -d myserverdomain.com -d www.myserverdomain.com -d m.myserverdomain.com -d othersite1.com -d www.othersite1.com -d subdomain1.othersite2.com -d subdomain2.othersite2.com
  8. Restore HTTPS redirection on domain.conf
    1. Turn on return 301 https:
      return 301 https://$host$request_uri;
    2. Turn off root & index:
      ###root /var/www/wordpress;
      ###index index.php;
    3. Turn on SSL domain & global includes:
      include snippets/ssl-domain.com.conf
      include snippets/ssl-params.conf
    4. Restart the web server:
      sudo service nginx reload
  9. Test SSL configuration
Advertisements

One thought on “HTTP/2 SSL Certbot for WP Multisite (Nginx/Debian8)”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s