Installez gratuitement un certificat SSL sur votre domaine

écrit par: ddtraceweb

Nous allons voir comment utiliser certbot pour obtenir gratuitement un certificat ssl.

1 / installer suivant votre plateforme via le domaine suivant l'utilitaire certbot

l'exemple que nous allons voir est fait avec nginx et debian 8.

sudo apt-get install certbot -t jessie-backports

2 - Récupérer le certificat ssl du domaine

sudo certbot certonly --webroot -w /var/host/www -d -d

3 - generer les clés

 sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

4 - configurer le nginx pour intégrer les certificats

4.1 - création du fichier de configuration

sudo vi /etc/nginx/snippets/

à l'intérieur y insérer les lignes suivantes :

ssl_certificate /etc/letsencrypt/live/; 
ssl_certificate_key /etc/letsencrypt/live/;

4.2 - creation fichier configuration nginx ssl

 sudo vi /etc/nginx/snippets/ssl-params.conf

y insérer ces lignes

# from
# and

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

5 - configurer votre nginx pour rediriger le domaine http vers https

server {
  listen      80;
  server_name  ~^www\.example\.(.*)$ ~^example\.(?!com).*$;
  return 301$request_uri;

server {
  listen      443;
  server_name  ~^www\.example\.(.*)$ ~^example\.(?!com).*$;

  include snippets/;
  include snippets/ssl-params.conf;

  return 301$request_uri;

server {
  listen 443 ssl;
  include snippets/;
  include snippets/ssl-params.conf;

  root /var/host/www;

  location / {
    # try to serve file directly, fallback to index.php
    try_files $uri /app.php$is_args$args;

  location ~ ^/app\.php(/|$) {
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;

    # When you are using symlinks to link the document root to the
    # current version of your application, you should pass the real
    # application path instead of the path to the symlink to PHP
    # FPM.
    # Otherwise, PHP's OPcache may not properly detect changes to
    # your PHP files (see
    # for more information).
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;

    # Prevents URIs that include the front controller. This will 404:
    # http://domain.tld/index.php/some-path
    # Remove the internal directive to allow URIs like this

  # return 404 for all other php files not matching the front controller
  # this prevents access to other php files you don't want to be accessible.
  location ~ \.php$ {
    return 404;

  error_log /var/log/nginx/example_error.log;
  access_log /var/log/nginx/example_access.log;

6 - Mettre en place une crontab pour renouveler le certificat

crontab -e

y insérer cette ligne

30 2 * * * sudo /usr/bin/certbot renew --noninteractive --post-hook "/bin/systemctl reload nginx" >> /var/log/le-renew.log