Nginx Configuration Sample

Continuing the discussion from Will/does the letsencrypt client create a cert chain usable with OCSP stapling?:

https://certificate.revocationcheck.com/helloworld.letsencrypt.org shows helloworld.letsencrypt.org is correctly stapling. Note: that machine is running nginx-1.8

When we configured that server, we started from Mozilla’s Server Side TLS Generator and customized it. We also ran the Let’s Encrypt client in standalone mode.

Here’s the server configuration block for helloworld.letsencrypt.org:

server {
    listen 443 ssl;

    ssl_certificate         /etc/letsencrypt/live/helloworld.letsencrypt.org/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/helloworld.letsencrypt.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/helloworld.letsencrypt.org/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # Generate with:
    #   openssl dhparam -out /etc/nginx/dhparam.pem 2048
    ssl_dhparam /etc/nginx/dhparam.pem;

    # What Mozilla calls "Intermediate configuration"
    # Copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # If you want to specify a DNS resolver for stapling, you can uncomment the below
    # line. If you leave it commented, nginx will use your system resolver, which will probably
    # work just fine!
    # resolver <IP DNS resolver>;
}
4 Likes

You could also post the SSL Config that Let’s encrypt uses in Apache 2.2 on Ubuntu.

That sounds great. I don’t have an Apache config, but if someone reading this wants to contribute one for a specific version of Apache - please do (in its own topic)! I know there’s some tricks as you get into the 2.4.7 / 2.4.8 area with using cert.pem vs fullchain.pem, for example.

Updated: Apache Configuration Example!

1 Like