I once had to install a SSL cert for a client and it was a royal PITA. I purchased the cert from Comodo, they emailed me the cert, I then had to figure out the cryptic way of installing it. I was using OpenShift to host the site and have since moved to DigitalOcean, and I urge you to do the same, because it's rad.
Back then I didn't know about the free SSL cert and software of Let's Encrypt. I also would have never thought that a free cert would be easy to install, but OMG it was one of the sexiest installs I've ever done. It was fast, hosted and up to date by Ubuntu's
apt, and dead easy.
I followed DigitalOcean's tutorial and it worked like a charm. However, you'll want to also add a CAA DNS entry which the tutorial didn't cover but I'll show you how.
Ensure SSL/TCP is open in the Firewall
If you are using
ufwthen you'll need to open port
443doesn't have Action status of
ALLOWthen you'll need to add it. (There may also be duplicate rules that have (v6) next it, that's for IP version 6).
Get yourself a cert
Certbot does all the work for you. Praise open source software!
Certbot will ask you if you want all requests to be HTTPS or to also allow HTTP. Your choice, but ninja pros go with HTTPS for life.
Check out your site with HTTPS, it should work!
Test out your site at ssllabs and see what grade you get.
If you got a B due to Diffie-Hellman Parameters then you should update them with step 5.
Update your Diffie-Hellman Parameters
The following command will create some wizardry and will take some time. It's fun to watch the output, because crazy smart people are making stuff happen. Watch in awe, it should look something like this:
Edit your Nginx confg, it will be in
/etc/nginx/sites-available/, and paste the param in the server block.
Make sure you didn't screw up your config by validating it.
If your config is valid then reload Nginx.
Test your site again at ssllabs and you should have that highly coveted A grade.
Setup auto renewal
Add a cron job to update any cert that is going to expire in less than 30 days.
Add the following line to the bottom of the file.
Your SSL cert is all setup and will auto update. Huzzah!
When you tested your cert at ssllabs did you notice DNS CAA failed?
That's because you need to add a CAA DNS record.
What is a CAA DNS entry?
It says who the cert authority is for your site.
This is a relatively new DNS record that no one took notice of until this very second. Seriously, the time this post goes live is when the CA Browser Forum will add it to their baseline requirements.
Go to your DNS provider and add a CAA record.
You can choose to do a wild card for your domain so that all subdomains will also be certified by the same authority. I would assume most sites would want this, so this is how you do it.
This says that
your-awesome-site.comand all subdomains use
letsencrypt.orgas the SSL cert authority.