Langkah selanjutnya setelah berhasil menginstal dan mengatur blok server di nginx, kemudian kita akan menginstall ssl atau Let’s Encrypt yang di kembangkan oleh Internet Security Research Group (ISRG) dan kamu dapat memperolehnya secara gatis dan durasi penggunaannya sendiri selama satu bulan atau 30 hari.
Certbot merupakan tool yang mempermudah dan memperpanjang sertifikat ssl dan juga mengatur penggunakan certifikat ssl Let’s Encrypt. Untuk menggunakan chartbot jalankan perintah di bawah ini.
$ sudo apt install certbot
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Langkah selanjutnya ialah melakukan pendaftaran sertifikat ssl dari Let’s Encrypt.
$ mkdir -p /var/lib/letsencrypt/.well-known
$ chgrp www-data /var/lib/letsencrypt
$ chmod g+s /var/lib/letsencryptLalu buat dua file snipset yaitu file letsencrypt.conf dan ssl.conf. Jalankan perintah di bawah ini untuk membuat filenya.
$ vim /etc/nginx/snippets/letsencrypt.confLalu salin file teks di bawah ini ke dalam teks editor yang terbuka.
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}Selanjutnya seve perubahannya dan jalankan perintah yang kedua.
$ vim /etc/nginx/snippets/ssl.conf
Lalu salin juga file di bawah ini ke dalam teks editor.
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;Save konfigurasinya, kemudian tambahkan file letsencrypt.conf pada server block milik domain hidayatcode.com.
$ sudo vim /etc/nginx/sites-available/contoh.com
Tambahkan baris kode berikut ke dalam file tersebut.
include snippets/letsencrypt.conf;
server {
listen 80;
server_name example.com www.hidayatcode.com;
include snippets/letsencrypt.conf;
}Simpan konfigurasisanya, dan jalankan dengan menggunakan perintah berikut.
$ sudo ln -s /etc/nginx/sites-available/contoh.com /etc/nginx/sites-enabled/
Jika muncul pesan error seperti di bawah ini abaikan, dan lanjutkan ke tahap selanjutnya.
ln: failed to create symbolic link '/etc/nginx/sites-enabled/contoh.com': File exists
Restear nginx.
$ sudo systemctl restart nginx
Setelah itu jalanakan perintah di bawah ini untuk mendaftarkan certifiacate sslnya.
$ sudo certbot certonly --agree-tos --email admin@contoh.com --webroot -w /var/lib/letsencrypt/ -d contoh.com -d www.hidayacode.comOutputya akan terllihat seperti di bawah ini.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hidayacode.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hidayacode.com/privkey.pem
Your cert will expire on 2019-07-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leSetelah itu edit kembali file konfigurasinya.
$ sudo vim /etc/nginx/sites-available/contoh.com
Salin kode di bawah ini ke dalam teks editor dan update.
server {
listen 80;
server_name www.hidayatcode.com hidayatcode.com;
root /var/www/chidayatcode.com/public_html;
index index.html;
include snippets/letsencrypt.conf;
access_log /var/log/nginx/hidayatcode.com.access.log;
error_log /var/log/nginx/chidayatcode.com.error.log;
location / {
try_files $uri $uri/ =404;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.hidayatcode.com;
root /var/www/hidayatcode.com/public_html;
index index.html;
ssl_certificate /etc/letsencrypt/live/hidayatcode.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hidayatcode.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/hidayatcode.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://hidayatcode.com$request_uri;
}
server {
listen 443 ssl http2;
server_name hidayatcode.com;
root /var/www/hidayatcode.com/public_html;
index index.html;
ssl_certificate /etc/letsencrypt/live/contoh.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/contoh.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/contoh.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . kode lainnya
}Kode di atas ialah domain hidayatcode.com di paksa menggunkan sertifikat https redirect akses menggunakan www.hidayatcode.com ke hidayatcode.com (non-www). Simpan perubahan dan reload nginx.
$ sudo systemctl reload nginx
Buka browser dan akses https://hidayatacode.com. Sertifikat ssl berlaku selama 90 hari, untuk membuatnya otomatis perpanjang mak kita kan mengguankan certbot.
$ sudo vim /etc/cron.d/certbotUbah baris cronjob seperti di bawah ini.
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"Save perubahannya, dan untuk mengecekknya gunakan perintah berikut.
$ sudo certbot renew --dry-run
Jika tidak terdapat error maka outputnya seperti di bawah ini.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hidayatcode.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.