Getting and installing a free SSL certificate Let's Encrypt on Bitrix24 Self-Hosted ...

Getting and installing a free SSL certificate Let's Encrypt on Bitrix24 Self-Hosted

Getting and installing a free SSL certificate Let's Encrypt on Bitrix24 Self-Hosted 04.06.2018

Getting and installing a free SSL certificate Let's Encrypt on Bitrix24 Self-Hosted

Installing the Let's Encrypt SSL-certificate on the Bitrix24 Virtual Machine





1. To get started let's install a Certbot

Let's log into the server with ssh as root and install the Certbot in the folder /usr/local/sbin directly from the EFF site.
$ cd /usr/local/sbin
$ sudo wget https://dl.eff.org/certbot-auto

Next, go to the directory with a downloaded Certbot and give the bot a right to execute:
$ sudo chmod a+x /usr/local/sbin/certbot-auto

2. Now is time to receive a certificate.

To receive a certificate, you need to run a command with Certbot's call with certain parameters:

$ certbot-auto certonly --webroot --agree-tos --email myemail@domain.com -w /home/bitrix/www/ -d domain.com -d www.domain.com

where, 

--webroot - a special key that increases the reliability of Certbot's work under Nginx; 
--agree-tos - automatic agreement with the Terms of Service; 
--email myemail@domain.com - Your e-mail. Be careful, as it can not be changed; it will be required, for example, to restore access to the domain and to renew it;
-w /home/bitrix/www - specify the root directory of the main site; If you have a multi-site configuration, specify the path to additional site:  /home/bitrix/ext_www/ 
-d domain.com - through the -d parameter, we specify which domains we are requesting the certificate for. You must start from the second-level domain domain.com and through the same key specify subdomains, for example, -d www.domain.com -d crm.domain.com

The Certbot script starts its work, suggests installing additional packages, click agree and wait for the end of the work.

Upon successful completion of work, the Certbot congratulates you on the generation of the certificate and shows the following message:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to myemail@domain.com
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.com/fullchain.pem. Your
   cert will expire on 2019-05-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


* - If instead of this message there is an error "Failed to connect to host for DVSNI challenge", then you need to configure your Firewall so that TCP traffic on ports 80 and 443 is allowed.
** - If you use Cloudflare services for your domain, disable them for the duration of the certificate generation.

3. Nginx configuration

We received a free SSL-certificate for 3 months. We only need to configure Nginx and set the automatic extension of the certificate to cron.

To increase the level of encryption and to obtain an A + score when verifying the certificate, let's increase the security level and generate the Diffie-Hellman group. 
$ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Please wait for about 2-4 minutes and proceed to configure Nginx.

We open the file /etc/nginx/bx/conf/ssl.conf and define the paths to the certificates that have just been received:
ssl_certificate         /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/domain.com/privkey.pem; 

Below you will find additional Nginx options that allow you to get an A + score when checking a certificate on sslanalyzer:

# SSL encryption parameters
ssl                     on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ''ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:
ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
resolver 8.8.4.4 8.8.8.8 valid=600s;
ssl_stapling_verify on;
ssl_dhparam             /etc/nginx/ssl/dhparam.pem;


ssl_certificate         /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/domain.com/privkey.pem;
# performance ssl_session_cache   shared:SSL:10m; ssl_session_timeout     10m;

* - in the ssl_ciphers line, you must delete all hyphenations after colons.

Save the changes, test the Nginx configuration:

 $ nginx -t
 $ curl https://domain.com:443 

If there are no errors, restart Nginx:

$ service nginx reload

Check the newly installed certificate on the SSL Analyzer service - https://www.ssllabs.com/ssltest/

4. Automatic certificate renewal

For automatic certificate renewal, you need to add the following commands to the certbot start:
$ nano /etc/crontab

Add lines:
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log  
35 2 * * 1 /etc/init.d/nginx reload

Now every Monday at 2:30 our certificates will be automatically renewed, the result will be logged. At 2:35, after the certificate is renewed, the Nginx configuration will be reloaded.

You can manually renew the certificates with the following command:
$ certbot-auto renew 

Since our certificates are already generated, Certbot will simply extend them.

After that, you can switch all traffic to HTTPS through this link.

Back to the list




...