Installing Let's Encrypt on Ubuntu 14.04

In this tutorial we will install a Let's Encrypt certificate on Ubuntu and Nginx. We will be using acme.sh instead of the official installation method, just because it's much simpler.

Step 1 - Install acme.sh

$ curl https://get.acme.sh | sudo bash

Step 2 - Issue a certificate

$ sudo acme.sh --issue --dns -d domain.com -d www.domain.com

This will give you the following output:

Add the following txt record:  
Domain:_acme-challenge.domain.com  
Txt value:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Add the following txt record:  
Domain:_acme-challenge.www.domain.com  
Txt value:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  

Add the txt records like the following screenshot in your DNS panel:
Wait for the DNS to take effect and run:

$ sudo acme.sh --renew -d domain.com

You can check your DNS with:

$ dig TXT _acme-challenge.domain.com

And you should see something like:

_acme-challenge.domain.com. 86400 IN TXT     "xxx"  

Step 3 - Install the certificate

$ sudo mkdir -p /etc/nginx/ssl/domain.com
$ sudo acme.sh --installcert -d domain.com \ 
--certpath /etc/nginx/ssl/domain.com/cert.cer \
--keypath /etc/nginx/ssl/domain.com/key.key \
--fullchainpath /etc/nginx/ssl/domain.com/chain.cer \ 
--capath /etc/nginx/ssl/domain.com/ca.cer \
--reloadcmd "service nginx restart"

The certificate will automatically be renewed.

If chain.pem and dhoaram.pem don't exist, run the following two commands:

$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
$ sudo wget -O /etc/nginx/ssl/chain.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Set the proper permissions:

$ sudo chmod -R 400 /etc/nginx/ssl

Step 4 - Configure the web server (Nginx)

Open /etc/nginx/sites-available/domain.com and paste the following between the server { } section:

listen 443 ssl http2; # Only use http2 if you have a compatible Nginx version.  
listen [::]:443 ssl http2; # Only use http2 if you have a compatible Nginx version.

ssl_certificate ssl/domain.com/domain.cer;  
ssl_certificate_key ssl/domain.com/domain.key;

ssl_dhparam ssl/dhparam.pem;  
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers  on;  
ssl_session_timeout  24h;  
ssl_session_tickets off;  
keepalive_timeout 300;  
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";  
ssl_stapling on;  
ssl_stapling_verify on;  
ssl_trusted_certificate ssl/chain.pem;  

Finally restart Nginx and your new certificate should work!

$ sudo service nginx start

Ramy Talal

Read more posts by this author.