Letsencrypt salah satu SSL (Secure Sockets Layer) free yang dapat Anda gunakan Letsencrypt dapat Anda install di berbagai sistem operasi, dan web server. Untuk instalasi letsencrypt dapat menggunakan Certbot
Berikut ini kami akan mencoba memasang SSL Free di Laravel oleh karena itu pastikan Anda sudah install laravel nya terlebih dahulu silakan merujuk pada link berikut: Cara Instalasi Laravel Menggunakan Nginx di CentOS 8.
Berikut tahapan – tahapan instalasi SSL Letsencypt menggunakan web server Nginx.
Pertama melakukan instalasi certbot
1
2
[root@tutorial ~]#
[root@tutorial ~]# wget -P /usr/local/bin https://dl.eff.org/certbot-auto
Memberikan akses akses execute pada certbot
1
2
[root@tutorial ~]#
[root@tutorial ~]# chmod +x /usr/local/bin/certbot-auto
Generate openssl
1
2
[root@tutorial ~]#
[root@tutorial ~]# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Membuat direktori letsencypt dan juga berikan akses nya
1
2
3
4
5
6
[root@tutorial ~]# mkdir -p /var/lib/letsencrypt/.well-known
[root@tutorial ~]# chgrp nginx /var/lib/letsencrypt
[root@tutorial ~]# chmod g+s /var/lib/letsencrypt
[root@tutorial ~]# chmod g+s /var/lib/letsencrypt
[root@tutorial ~]#
[root@tutorial ~]# mkdir /etc/nginx/snippets
Membuat direktori snippet yang akan digunakan untuk menyimpan configuration SSL nya
1
2
[root@tutorial ~]#
[root@tutorial ~]# mkdir /etc/nginx/snippets
Konfigurasi file letsencypt untuk kebutuhan verifikasi
1
[root@tutorial ~]# vim /etc/nginx/snippets/letsencrypt.conf
Berikut isi konfigurasinya
1
2
3
4
5
6
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
Membuat file konfigurasi ssl letsencypt
1
[root@tutorial ~]# vim /etc/nginx/snippets/ssl.conf
Berikut isi konfigurasi ssl nya, pada file ini Anda dapat mengubah atau menyesuaikan sesuai keinginan sepertihalnya header, protokol etc untuk SSL Anda.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
Edit dan tambahkan file snippets di server block Anda
1
2
[root@tutorial ~]#
[root@tutorial ~]# vim /etc/nginx/conf.d/laravel.conf
Seperti berikut ini
1
2
3
4
5
6
server {
listen 80;
server_name laravel.nurhamim.my.id;
include snippets/letsencrypt.conf;
}
Jika sudah reload Nginx
1
2
[root@tutorial conf.d]#
[root@tutorial conf.d]# systemctl reload nginx
Jalankan satu baris perintah berikut untuk mendapatkan SSL letsencypt
1
[root@tutorial ~]# /usr/local/bin/certbot-auto certonly --agree-tos --email me@nurhamim.my.id --webroot -w /var/lib/letsencrypt/ -d laravel.nurhamim.my.id
Noted: Ubah email dan sub domain atau domain Anda
Pastikan hasilnya sukses seperti berikut
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/laravel.nurhamim.my.id/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/laravel.nurhamim.my.id/privkey.pem
Your cert will expire on 2020-11-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
[root@tutorial ~]#
Selanjutnya menambahkan konfigurasi SSL di server block
1
2
[root@tutorial ~]#
[root@tutorial ~]# vim /etc/nginx/conf.d/laravel.conf
Ubah dan edit server block menjadi seperti berikut:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
server {
listen 80;
listen 443 ssl http2;
server_name laravel.nurhamim.my.id;
root /usr/share/nginx/laravel/public;
index index.php index.html index.htm;
#return 301 https://$host$request_uri;
ssl_certificate /etc/letsencrypt/live/laravel.nurhamim.my.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/laravel.nurhamim.my.id/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/laravel.nurhamim.my.id/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php {
include fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/www.sock;
}
location ~ /\.ht {
deny all;
}
}
Pastikan konfigurasi nginx Anda benar
1
2
3
4
[root@tutorial ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@tutorial ~]#
Jika sudah silakan reload Nginx dan php-fpm
1
2
3
[root@tutorial ~]#
[root@tutorial ~]# systemctl reload nginx
[root@tutorial ~]# systemctl reload php-fpm
Pastikan port 443 (HTTPS) listen
1
2
3
4
5
[root@tutorial ~]# netstat -tulpn |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 74743/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 74743/nginx: master
tcp6 0 0 :::80 :::* LISTEN 74743/nginx: master
[root@tutorial ~]#
Pastikan Anda menambahkan firewall juga di sisi VM. Disini kami menggunakan openstack dengan begitu untuk firewall dapat diallow di security group, silakan disesuaikan di sisi Anda.
Akses URL laravel Anda dari browser, hasilnya akan seperti berikut ini
Untuk test score SSL dapat menggunakan SSLLAB, berikut hasilnya
Selamat SSL Letsencypt Laravel Anda sudah terinstall.
Selamat mencoba 😁