Install the Let’s Encrypt SSL certificate on the HocVPS Script server

How to install Let's Encrypt SSL certificate on the HocVPS Script server

If your server is using HocVPS Script, follow these step-by-step instructions to install the free Let’s Encrypt SSL certificate and be automatically renewed.

Let’s Encrypt is a free SSL Certificate Authority (SSL) provider, trusted by many individuals and organizations.

In this article, I will guide you step by step install the Let’s Encrypt certificate on the server installed HocVPS Script (LEMP Server, CentOS 6 and 7). If you use shared hosting like Hawk Host or StableHost, DreamHost, SiteGround, everything is much simpler as Let’s Encrypt is built right into cPanel, just a few clicks to install successfully. Please refer to the installation instructions Let’s Encrypt in cPanel.

Let’s Encrypt is a domain validation SSL certificate, which means that after installation you will have a blue lock bar on your browser. In addition to Let’s Encrypt, there is Comodo’s PositiveSSL and GoDaddy’s Standard SSL DV. Also a lot of users.

If the installation is complete but the address bar does not appear blue HTTPS, please refer to the tutorial “SSL perfect green”

Surf safely

Step 1 / Install the Let’s Encrypt certificate

1 / Let’s Install Encrypt

We will clone the source code of Let’s Encrypt to the directory /opt/letsencrypt. This step works the same on CentOS 6 and 7.

# Install Git
yum -y install git

# Clone Let's Encrypt repository
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

 2 / Issue SSL certificate Let’s Encrypt for domain

To issue SSL Certificates Let’s encrypt the domain there are many ways, I will use the option --standalone

Until May 2016, Certbot is called letsencrypt or letsencrypt-auto, depending on how it is installed. Some tutorials on the Internet still use this old name, in this tutorial will use certbot-auto, all the same.

If you are using CloudFlare, turn off the hidden IP functionality by clicking the cloud switch from Gold to Gray to install Let’s Encrypt.

# Stop Nginx
service nginx stop

# Issue SSL Let's Encrypt
/opt/letsencrypt/certbot-auto certonly --standalone

Wait for a while to let Encrypt install the necessary tools. Then enter your email address, then press the Enter key.

Nhap-dia-chi-email

Accept the rule by entering a, then press Enter.

Accept the rule by entering a, then press Enter.

Next you enter the domain name that will use the SSL certificate, and then press Enter. This step you only enter the non-www and www versions of a domain or subdomain. When you want to add another domain / subdomain, see the instructions below.

If you do not see a problem, you will see the message below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/howvps.com/fullchain.pem. Your cert will
 expire on 2016-08-23. To obtain a new version of the certificate in
 the future, simply run Certbot again.
 - If you lose your account credentials, you can recover through
 e-mails sent to admin@howvps.com.
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Note the information with red color:

  1. /etc/letsencrypt/live/howvps.com/: The directory containing the certificate files
  2. 2016-08-23: Certificate expiration date (90 days from date of installation)

Install SSL Certificate Let’s Encrypt for many websites

If you need to add a domain / subdomain to install Let’s Encrypt, just run the command below and enter the domain:

# Stop Nginx
service nginx stop

# Install Let's Encrypt
/opt/letsencrypt/certbot-auto certonly --standalone

This new domain will have a separate folder containing the certificate file needed.

Step 2 Configure Nginx

After we have the certificate files, we will edit the Nginx configuration file. For example, if your domain name is hovps.com the configuration file will have the link /etc/nginx/conf.d/howvps.com.conf

When you do, remember to replace howvps.com with your domain.
Note: Only configure Nginx when you have successfully issued the SSL certificate.

Create DH parameters 2048 bit file (create only once on VPS)

mkdir /etc/nginx/ssl/
openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem

Edit domain configuration with Nano Editor

nano /etc/nginx/conf.d/hocvps.com.conf

Configure SSL to handle requests

The second server { ... } block adjusts as follows:

+ Switch  listen 80 default_server; to listen 443 ssl default_server;

+ After th server_name howvps.com; tadd SSL configuration segment:

	# SSL
	ssl_certificate /etc/letsencrypt/live/howvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/howvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;

Redirect the entire www http to https

In block server { ... } at the top:

+ Change server_name www.howvps.com; to server_name howvps.com www.howvps.com;

+ Change rewrite ^(.*) http://howvps.com$1 permanent; to rewrite ^(.*) https://howvps.com$1 permanent;

The results are as follows:

server {
	listen 80;
	server_name howvps.com www.howwvps.com;
	rewrite ^(.*) https://howvps.com$1 permanent;
}

Now when visiting https://howvps.com and http://www.howvps.com will automatically redirect to https://howvps.com

Redirect the entire www https to https:

Add new  server { ... } block at the top:

server {
	listen 443 ssl;
	server_name www.hocvps.com;

	# SSL
	ssl_certificate /etc/letsencrypt/live/howvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/howvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

	rewrite ^(.*) https://howvps.com$1 permanent;
}

Now when visiting https://www.howvps.com will automatically redirect to https://howvps.com

Configure SSL with HocVPS management port Admin Script

Note:

  • Only set for the main domain installed HocVPS – The secondary domain is NOT set.
  • This is only an optional step, if you use Cloudflare and activate the hidden IP cloud, do not do this step but use the link http: // IP: port to access HocVPS administration area Admin Script.
  • For example, when setting me to the default port 2018, I will find the last server server {…} in the configuration file .conf domain with the listen 2018 line;

Configure SSL for port HocVPS similar to the following:

server {
	listen 2018 ssl;

 	access_log        off;
	log_not_found     off;
 	error_log         off;

    	root /home/howvps.com/private_html;
	index index.php index.html index.htm;
    	server_name howvps.com;
 	
        error_page  497 https://$server_name:$server_port$request_uri;

	ssl_certificate /etc/letsencrypt/live/howvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/howvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

	auth_basic "Restricted";
	auth_basic_user_file /home/howvps.com/private_html/hocvps/.htpasswd;
	
	...

Now access HocVPS Admin Script via https://domain.com:2018

The final Nginx configuration file will be similar to the following:

server {
	listen 443 ssl;
	server_name www.howvps.com;

	# SSL
	ssl_certificate /etc/letsencrypt/live/howvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/howvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

	rewrite ^(.*) https://howvps.com$1 permanent;
}
server {
	listen 80;
	server_name howvps.com www.howvps.com;
	rewrite ^(.*) https://howvps.com$1 permanent;
}

server {
	listen 443 ssl default_server;
		
	# access_log off;
	access_log /home/howvps.com/logs/access.log;
	# error_log off;
    	error_log /home/howvps.com/logs/error.log;
	
    	root /home/howvps.com/public_html;
	index index.php index.html index.htm;
    	server_name hocvps.com;
	
	# SSL
	ssl_certificate /etc/letsencrypt/live/hocvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/hocvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;
 
    	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	
	# Custom configuration
	include /home/howvps.com/public_html/*.conf;
 
    	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
        	include /etc/nginx/fastcgi_params;
        	fastcgi_pass 127.0.0.1:9000;
        	fastcgi_index index.php;
		fastcgi_connect_timeout 1000;
		fastcgi_send_timeout 1000;
		fastcgi_read_timeout 1000;
		fastcgi_buffer_size 256k;
		fastcgi_buffers 4 256k;
		fastcgi_busy_buffers_size 256k;
		fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;
        	fastcgi_param SCRIPT_FILENAME /home/hocvps.com/public_html$fastcgi_script_name;
    	}
	location /nginx_status {
  		stub_status on;
  		access_log   off;
                allow 127.0.0.1;
                deny all;
	}
	location /php_status {
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME  /home/hocwps.com/public_html$fastcgi_script_name;
		include /etc/nginx/fastcgi_params;
                allow 127.0.0.1;
                deny all;
    	}
	# Disable .htaccess and other hidden files
	location ~ /\.(?!well-known).* {
		deny all;
		access_log off;
		log_not_found off;
	}
        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }
        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }
	location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|eot|svg|ttf|woff)$ {
	        gzip_static off;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
		access_log off;
		expires 30d;
		break;
        }

        location ~* \.(txt|js|css)$ {
	        add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
		access_log off;
		expires 30d;
		break;
        }
}

server {
	listen 2018 ssl;

 	access_log        off;
	log_not_found     off;
 	error_log /home/howvps.com/logs/nginx_error.log;

    	root /home/howvps.com/private_html;
	index index.php index.html index.htm;
    	server_name howvps.com;

        error_page 497 https://$server_name:$server_port$request_uri;

	ssl_certificate /etc/letsencrypt/live/howvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/howvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 
	auth_basic "Restricted";
	auth_basic_user_file /home/howvps.com/private_html/hocvps/.htpasswd;
	
     	location / {
		autoindex on;
		try_files $uri $uri/ /index.php;
	}
	
    	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
        	include /etc/nginx/fastcgi_params;
        	fastcgi_pass 127.0.0.1:9000;
        	fastcgi_index index.php;
		fastcgi_connect_timeout 1000;
		fastcgi_send_timeout 1000;
		fastcgi_read_timeout 1000;
		fastcgi_buffer_size 256k;
		fastcgi_buffers 4 256k;
		fastcgi_busy_buffers_size 256k;
		fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;
        	fastcgi_param SCRIPT_FILENAME /home/howvps.com/private_html$fastcgi_script_name;
    	}
	
	location ~ /\. {
		deny all;
	}
}
_ Configure SSL for non-primary domain in HocVPS Script:

  • No setting HocVPS Admin Port
  • Leave the parameter default_server next to listen 443

_ To combine using CDN Cloudflare (golden cloud icon):

  • Full (strict) setting in the Crypto SSL menu on the Cloudflare management page.
  • Do not configure the SSL Admin HocVPS section. Once there, access HocVPS Admin by ip:port
  • SSL Let’s Encrypt cannot be automatically renewed. Manual extension every 3 months.

Check Nginx configuration again

nginx -t

Feedback as follows is ok:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx service

service nginx restart

Now access the domain to enjoy the results.

Be the first to comment

Leave a Reply

Your email address will not be published.


*