Protecting my Digital Ocean' website with Let's Encrypt

Digital Ocean has a complete post to configure nginx as a HTTPS server available at How To Secure Nginx with Let's Encrypt on Ubuntu 14.04, although it is focused on new configurations which is not my case. Hence, I had to struggle with some minor problems, specially trying to get the certificate from Let's Encrypt as well as getting an A+ grade in a couple of SSL/TLS Configuration Tests. That is why I've decided to share my experience here.

Assuming you already have a properly configured HTTP website hosted in Digital Ocean using nginx as a web server in a Linux environment like Ubuntu with a valid Internet domain name, this is what you need to do:

Steps

1. As usual, update your system.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

2. Install Let's Encrypt client

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

3. Prepare nginx.conf

server {
	...

	location ~ /.well-known {
		allow all;
	}

	...
}

_{Fix: I had to comment temporarily the line try_files $uri $uri/ =404; too, otherwise I've received a fail message like The client lacks sufficient authorization :: Invalid response from ... 404}

location / {
#    try_files $uri $uri/ =404;
}

sudo nginx -t
sudo service nginx restart

4. Requesting your website' certificate

_{Change /path/to/your/domain as well as your.domain and www.your.domain for your website valid values}

certbot-auto certonly -a webroot --webroot-path=/path/to/your/domain -d your.domain -d www.your.domain

5. If everything went well, now you can check the certificate files

sudo ls -l /etc/letsencrypt/live/your.domain

6. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process, so generate a 2048 bits DH Group key.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

7. Configure nginx as a HTTPS server

Replace HTTP with HTTPS
Change

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/your.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain/privkey.pem;

Configuring SSL accurately

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

_{Fix: After I ran a SSL Server Security Test at https://www.htbridge.com/ssl/, I've decided to remove CAMELLIA from the original list of ssl ciphers recommended at original Digital Ocean' post, because according to this test, its use does not follow the NIST Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

Enhancement: I've added includeSubDomains and always to the Strict-Transport-Security header.}

Finally, redirect all HTTP traffic to HTTPS

server {
   listen 80;
   server_name your.domain www.your.domain;
   return 301 https://$host$request_uri;
}

sudo nginx -t
sudo service nginx restart

8. A cron job that will execute the certbot-auto renew command every Monday at 2:30 am, and reload Nginx at 2:35am (so the renewed certificate will be used).

sudo crontab -e
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload
```

9.&nbsp;Test your configuration.

Digital Ocean recommends to run the "Qualys SSL Labs Report" to check the SSL website' configuration. I found another one, the "HT Bridge SSL Server Security Test" which checks NIST and HIPAA standards compliance.
In my case, it was really helpful to have another test review to compare results. These are the links:

* HT Bridge SSL Server Security Test: <a href="https://www.htbridge.com/ssl/" title="SSL Server Security Test" target="_blank">https://www.htbridge.com/ssl/</a>
* Qualys SSL Labs Report: <a href="https://www.ssllabs.com/ssltest/analyze.html?d=your.domain">https://www.ssllabs.com/ssltest/</a>

If everything went well as I hope, your SSL website' configuration will get an A+ grade on both tests without warnings!

Securing my Digital Ocean website with Let's Encrypt

immontilla

immontilla

Setting my website's security headers