Lorem ipsum dolor sit amet, consectetur adipiscing elit. Test link

Tutorial Instal Certificate SSL di Nginx

 


Langkah selanjutnya setelah berhasil menginstal dan mengatur blok server di nginx, kemudian kita akan menginstall ssl atau Let’s Encrypt yang di kembangkan oleh Internet Security Research Group (ISRG) dan kamu dapat memperolehnya secara gatis dan durasi penggunaannya sendiri selama satu bulan atau 30 hari.

Certbot merupakan tool yang mempermudah dan memperpanjang sertifikat ssl dan juga mengatur penggunakan certifikat ssl Let’s Encrypt. Untuk menggunakan chartbot jalankan perintah di bawah ini.

$ sudo apt install certbot
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Langkah selanjutnya ialah melakukan pendaftaran sertifikat ssl dari Let’s Encrypt.

$ mkdir -p /var/lib/letsencrypt/.well-known
$ chgrp www-data /var/lib/letsencrypt
$ chmod g+s /var/lib/letsencrypt

Lalu buat dua file snipset  yaitu file letsencrypt.conf dan ssl.conf. Jalankan perintah di bawah ini untuk membuat filenya.

$ vim /etc/nginx/snippets/letsencrypt.conf

Lalu salin file teks di bawah ini ke dalam teks editor yang terbuka.

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

Selanjutnya sevae perubahannya dan jalankan perintah yang kedua.

$ vim /etc/nginx/snippets/ssl.conf

Lalu salin juga file di bawah ini ke dalam teks editor.

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Save konfigurasinya,  kemudian tambahkan file letsencrypt.conf pada server block milik domain hidayatcode.com.

$ sudo vim /etc/nginx/sites-available/contoh.com

Tambahkan baris kode berikut ke dalam file tersebut.

include snippets/letsencrypt.conf;
Kofigurasinya akan terlihat seperti di bawah ini,
server {
  listen 80;
  server_name example.com www.hidayatcode.com;

  include snippets/letsencrypt.conf;
}
Simpan konfigurasisanya, dan jalankan dengan menggunakan perintah berikut.
$ sudo ln -s /etc/nginx/sites-available/contoh.com /etc/nginx/sites-enabled/
Jika muncul pesan error seperti di bawah ini abaikan, dan lanjutkan ke tahap selanjutnya.
ln: failed to create symbolic link '/etc/nginx/sites-enabled/contoh.com': File exists
Restear nginx.
$ sudo systemctl restart nginx
Setelah itu jalanakan perintah di bawah ini untuk mendaftarkan certifiacate sslnya.
$ sudo certbot certonly --agree-tos --email admin@contoh.com --webroot -w /var/lib/letsencrypt/ -d contoh.com -d www.hidayacode.com
Outputya akan terllihat seperti di bawah ini.
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hidayacode.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hidayacode.com/privkey.pem
   Your cert will expire on 2019-07-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Setelah itu edit kembali file konfigurasinya.
$ sudo vim /etc/nginx/sites-available/contoh.com
Salin kode di bawah ini ke dalam teks editor dan update.
server {
    listen 80;
    server_name www.hidayatcode.com hidayatcode.com;

    root /var/www/chidayatcode.com/public_html;

    index index.html;

    include snippets/letsencrypt.conf;

    access_log /var/log/nginx/hidayatcode.com.access.log;
    error_log /var/log/nginx/chidayatcode.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.hidayatcode.com;

    root /var/www/hidayatcode.com/public_html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/hidayatcode.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hidayatcode.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/hidayatcode.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://hidayatcode.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name hidayatcode.com;

    root /var/www/hidayatcode.com/public_html;

    index index.html;

    ssl_certificate /etc/letsencrypt/live/contoh.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/contoh.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/contoh.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . kode lainnya
}
Kode di atas ialah domain hidayatcode.com di paksa menggunkan sertifikat https redirect akses menggunakan www.hidayatcode.com ke hidayatcode.com (non-www). Simpan perubahan dan reload nginx.
$ sudo systemctl reload nginx
Buka browser dan akses https://hidayatacode.com. Sertifikat ssl berlaku selama 90 hari, untuk membuatnya otomatis perpanjang mak kita kan mengguankan certbot.
$ sudo vim /etc/cron.d/certbot
Ubah baris cronjob seperti di bawah ini.
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
Save perubahannya, dan untuk mengecekknya gunakan perintah berikut.
$ sudo certbot renew --dry-run
Jika tidak terdapat error maka outputnya seperti di bawah ini.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/hidayatcode.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Post a Comment