Activating Let’s Encrypt SSL certificate on a site run by Easy Engine

Say we have a site on Easy Engine v3.7.4 setup that is not encrypted. We want to get it running under HTTPS protocol, right?

Let’s Encrypt seems to be the fastest, easiest and cheapest way to go. So here we go, the command is rather simple:

ee site update my.site-domain.com --letsencrypt

Well, that’s cool, but we might get a error, stating that:

Unable to setup, Let's Encrypt
Please make sure that your site is pointed to 
same server on which you are running Let's Encrypt Client 
 to allow it to verify the site automatically.

It would sometimes help to see the logs:

tail -n100 /var/log/ee/ee.log

If we don’t quite have a clue what’s going on there, there are several things we should try fixing or doing:

  1. Create an CNAME for a www subdomain of your domain, looking in the same direction. If you can’t access your site on the same server both with and without www, then Easy Engine won’t install Let’s Encrypt at all.
  2. Install Let’s Encrypt. Yes, seriously, it might be the case that Easy Engine didn’t install it. Here is the command for this:
    • apt-get install letsencrypt
  3. Get your locales straight. I didn’t believe this could be yet another reason for blocking Easy Engine’s command from finishing correctly, but it actually was:
    • locale-gen en_US en_US.UTF-8
    •  dpkg-reconfigure locales
      

Doing all of these should higher your chances for a successful installation of Let’s Encrypt for the website. This might not be the end of your sufferings, though. Restart your web server and have a look at your site:

service nginx restart

If Chrome is giving you a  ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY on https and on http you are missing all local resources, apart from the html and probably some remote scripts or images from a CDN, or you are getting more or less the same behaviour from Firefox with this error NS_ERROR_NET_INADEQUATE_SECURITY, then you need to do one more thing. Add some funny-looking lines to your ssl.conf file:

nano /var/www/my.site-domain.com/conf/nginx/ssl.conf

There would be several lines of stuff there. Something like this:

listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/my.site-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.site-domain.com/privkey.pem;

Well, this is obviously not enough, is it now? Let’s add this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

This should do the trick and you should have a smoothly running website under Let’s Encrypt’s protection.


Comments

7 responses to “Activating Let’s Encrypt SSL certificate on a site run by Easy Engine”

  1. Excellent post thank you very much for sharing. Adding the code below will give you an extra layer of protection, it will block sql injections

    ## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ “union.*select.*(“) {
    set $block_sql_injections 1;
    }
    if ($query_string ~ “union.*all.*select.*”) {
    set $block_sql_injections 1;
    }
    if ($query_string ~ “concat.*(“) {
    set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
    return 403;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ “[a-zA-Z0-9_]=http://”) {
    set $block_file_injections 1;
    }
    if ($query_string ~ “[a-zA-Z0-9_]=(..//?)+”) {
    set $block_file_injections 1;
    }
    if ($query_string ~ “[a-zA-Z0-9_]=/([a-z0-9_.]//?)+”) {
    set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
    return 403;
    }

  2. Stefan Avatar
    Stefan

    Well, that you so much for this last solution for NS_ERROR_NET_INADEQUATE_SECURITY.

  3. Binh Phan Avatar
    Binh Phan

    Thanks, you make my day.

  4. I’m happy I’ve helped you, guys 🙂

  5. It’s work 🙂 Thank you..

  6. Thanks so much!
    Works perfectly

  7. Fixed mine! Thanks!!

Leave a Reply

Your email address will not be published. Required fields are marked *