Let's Encrypt with Nginx on FreeBSD

Posted on Fri 03 February 2017 in FreeBSD, Let's Encrypt, Nginx

Built a few new servers the past couple of weeks and decided to try my hand at Let's Encrypt for SSL certs this time around instead of going to traditional route and paying for everything.

# pkg install -y py27-certbot
# service nginx start
# certbot certonly --webroot -w /usr/local/www/my.domain.com/public -d my.domain.com

Now that the certificate has been succesfully created, now its time to generate a dhparam certificate to up security a bit and get a better score on the (Qualys SSL Labs SSL Server Test)[https://www.ssllabs.com/ssltest/]. The config below didn't get me a perfect score, but did get me an A+. Might get around to seeing what it takes to get 100 points in all areas at some point.

  • Generate dhparam.pem:
# openssl dhparam -out /usr/local/etc/ssl/certs/dhparam.pem 4096
  • Configure SSL for Nginx:
server {
  listen 443 ssl;
  server_name my.domain.com;
  root /usr/local/www/my.domain.com/public;
  index index.php;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/local/etc/ssl/certs/dhparam.pem;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_stapling on;
  ssl_stapling_verify on;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_certificate /usr/local/etc/letsencrypt/live/my.domain.com/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/my.domain.com/privkey.pem;
}