Nginx TLS/SSL証明書取得設定

1 . Let's Encrypt Client をインストール

$ sudo apt-get update && sudo apt-get install letsencrypt

2 . SSL証明書の取得

server blockに、以下のlocation block を追加。

$ sudo vim /etc/nginx/sites-available/
        location ~ /.well-known {
                allow all;


$ sudo nginx -t && sudo nginx -s reload
$ sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html/ -d
 - If you lose your account credentials, you can recover through
   e-mails sent to
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your
   cert will expire on 2017-03-01. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          


$ sudo openssl x509 -in /etc/letsencrypt/live/ -noout -dates
notBefore=Jul 17 07:08:00 2016 GMT
notAfter=Oct 15 07:08:00 2016 GMT

Diffie-Hellman Group の生成

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


$ echo | openssl s_client -connect 2>/dev/null | openssl x509 -noout -text | head
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Not Before: Dec 19 05:58:00 2016 GMT
            Not After : Mar 19 05:58:00 2017 GMT

3 . nginx 設定

Configuration Snippet

$ sudo vim /etc/nginx/snippets/
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
$ sudo vim /etc/nginx/snippets/ssl-params.conf
# from
# and

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

SSL用にNginxを設定 80番から443番へ転送する場合、以下のようにserverディレクティブを分割する。

$ sudo vim /etc/nginx/sites-available/
server {

    # SSL configuration
#    listen 443 ssl http2 default_server;
#    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/;
    include snippets/ssl-params.conf;
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$server_name$request_uri;

http と https を許可する場合は、以下のように記述する。

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include snippets/;
    include snippets/ssl-params.conf;

  • 設定の反映
$ sudo nginx -t && sudo nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


4 . 証明書自動更新設定

$ sudo crontab -e
30 2 * * 1 /usr/bin/letsencrypt renew 2>&1 | tee -a /var/log/le-renew.log
45 2 * * 1 /bin/systemctl reload nginx