Lets Encrypt Installation (Ubuntu)

Enabling SSL

Lets Encrypt is a free SSL issuer which allows you to install certificates on your server for use with Deskpro.

These Instructions are for Ubuntu an Debian, where the Ubuntu/ Debian Deskpro Automated Installer has been used or a Deskpro Virtual Machine is being used.

The server that Deskpro is installed to will require a live internet connection and domain name resolving to your installation.

  1. Install Certbot - This is a tool which allows for the SSL to be generated and renewed on the server.
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
  1. Run Certbot and specify your domain name.
sudo certbot --nginx --domain yourhelpdesk.com

  1. You will be presented with the following output. The "Unable to install certificate" warning is to be expected, as we will need to complete some manual configuration in order to complete the setup.
     - Unable to install the certificate
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/yourhelpdesk.com/privkey.pem
       Your cert will expire on 2018-12-23. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.

Copy the following lines into a temporary file such as Notepad, as you'll need them in the next configuration stage:-

/etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem ← This is your SSL Certificate

/etc/letsencrypt/live/yourhelpdesk.com/privkey.pem ← This is your private key

Next, you'll need to modify the following file:-

/etc/nginx/conf.d/deskpro.conf

The following changes need to be made

Original File:

server {
listen 80;
server_name _;

## Config options for nginx + TLS. These settings are from [1], and provide
## a strong cipher list for yout server, although old browsers might be
## unable to access the helpdesk. If your install needs to be accessible
## by old browsers, please consult [1] for the adequate cipher lists.
##
## [1] <https://cipherli.st/>

# listen 443 ssl;

# ssl_certificate /path/to/certificate.crt;
# ssl_certificate_key /path/to/certificate.key;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
# ssl_session_cache shared:SSL:10m;
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7

Modified File:

server {
    listen 80 default_server;

    server_name _;
    return 301 https://$host$request_uri;

}

    ## Config options for nginx + TLS. These settings are from [1], and provide
    ## a strong cipher list for yout server, although old browsers might be
    ## unable to access the helpdesk. If your install needs to be accessible
    ## by old browsers, please consult [1] for the adequate cipher lists.
    ##
    ## [1] https://cipherli.st/

server {

    listen 443 ssl default_server;

    ssl_certificate /etc/letsencrypt/live/yourhelpdesk.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourhelpdesk.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7

This will active your SSL and force all traffic on your helpdesk via HTTPS

Below is a template which can be copy and pasted from the top of the file to just before the following comment:-

# add_header X-Content-Type-Options nosniff;

  server {
       listen 80 default_server;
   
       server_name _;
       return 301 https://$host$request_uri;
   
   }
   
       ## Config options for nginx + TLS. These settings are from [1], and provide
       ## a strong cipher list for yout server, although old browsers might be
       ## unable to access the helpdesk. If your install needs to be accessible
       ## by old browsers, please consult [1] for the adequate cipher lists.
       ##
       ## [1] https://cipherli.st/
   
   server {
   
       listen 443 ssl default_server;
   
       ssl_certificate PATH TO CERTIFICATE FILE FROM THE CERTBOT INSTALLER;
       ssl_certificate_key PATH TO PRIVATE KEY FROM THE CERTBOT INSTALLER;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
       ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
       ssl_session_cache shared:SSL:10m;
       ssl_stapling on; # Requires nginx >= 1.3.7
       ssl_stapling_verify on; # Requires nginx => 1.3.7

Finally, you'll need to restart the Web Server using:

service nginx restart

Remember to change your URL in your helpdesk admin to reflect HTTPS:// so that links are updated in your service and e-mails accordingly.

Published: 25/09/2018

Last updated: 25/09/2018