Unable to set HTTPS using LetsEncrypt in Nginx server

Question

I followed the following tutorial to set https for my website on DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-deploy-a-laravel-application-with-nginx-on-ubuntu-16-04

But, I got stuck at this place - Step 6 — Securing your Application with TLS

include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;

There are no ssl-*.conf in my snippets folder to match the lines in the above conf file for TLS. I did not see any other errors up to this point. I can view my site with Http, but not HTTPS.

The command sudo nginx -t yields:

nginx: [emerg] open() "/etc/nginx/snippets/ssl-example.com.conf" failed (2: No such file or directory) in /etc/nginx/sites-enabled/example.com:13

Yes, those files aren't there. So, I guess the tutorial skipped the step that generated those files.

The command ls /etc/nginx/snippets yields:

fastcgi-php.conf
snakeoil.conf

Clearly the ssl-*.conf files are missing.

Please help. I tried the DigitalOcean community for help, but didn't receive any help.

Thanks in advance.

Answer 1

Passing through the same issue and after some deeper security researches... I figure out that when you face this error you're mostly one step behind to create a really secure SSL setup, either you pasted a ready to use Nginx config or you missed a step in your tutorial it's clear that you don't have a ssl-params.conf file. But before that, It is highly recommended to create a secure group so you might as well do that. One of the ways to do that is to use a strong Diffie-Hellman group, which helps ensure that our secure app stays secure.

Run the following command on your server:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This takes a minute or two encryption should be hard for some computers and when it’s done you can move on. you’ll use the created file in the needed ssl-params.conf.

You need to create the missing file for SSL on your server to hold these settings, if you add another domain to this server, you can reuse them this way which we’ll do with the following command:

sudo nano /etc/nginx/snippets/ssl-params.conf

Inside, you can copy-paste the following settings.

# See https://cipherli.st/ for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Save and exit by pressing control + X, then Y, then enter.

Answer 2

Ok, After researching about this for some time I found the solution myself.

We have to create those files(configuration snippets) ourselves.

We first create the configuration snippet file:

sudo vim /etc/nginx/snippets/ssl-example.com.conf

Then we add in our SSL key and certificate locations inside this file:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Now, we add in the encryption settings to the second snippet file after creating it:

 sudo vim /etc/nginx/snippets/ssl-params.conf

The setting can be easily added following this link.

Once this file is saved, all we have to do is modify the Nginx configuration file.