How to enable TLS 1.3 in Nginx service of Linux Cloud Servers (without Cipher Suites included)

2020-05-11 By Aaron 7854 Views linux tls nginx security
69 reviews

Transportation Layer Security (TLS) is a cryptographic protocol and it provides the security for the delivery of data over the internet. TLS 1.3 is faster than TLS 1.2 because the handshake for TLS 1.3 is reduced to just one round-trip.

This can easily be enabled in a Linux-based server. This guide outlines the basic steps involved in a Linux server (provided Nginx service is already installed in the server).


Ubuntu


Requirements:

  1. Server running on Ubuntu 18.04.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Nginx version 1.13.0 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:

  1. Check the ubuntu version by using the below command.

    # lsb_release -ds
    

    tlsnginx1

  2. By using the below command ensure that the server is up to date.

    # apt update && sudo apt upgrade
    

    tlsnginx2

  3. Install the needed packages by using the below command.

    # apt install build-essential socat git curl gnupg2 ca-certificates lsb-release
    

    tlsnginx3


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc
    

    tlsnginx4

    tlsnginx5

    NOTE: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tlsnginx6

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d testlayerstack.com.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d testlayerstack.com --keylength ec-256
    

    tlsnginx7

    tlsnginx8

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tlsnginx9

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tlsnginx10

    tlsnginx11

  5. After running the above commands, your certificates and keys will be in the below-mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B - Configure Nginx for TLS 1.3

  1. Install the latest version of Nginx.

    # echo "deb https://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \ | sudo tee /etc/apt/sources.list.d/nginx.list
    

    tlsnginx12

  2. For verification of the package authenticity need to import an official Nginx signing key by using the below command.

    # curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
    

    tlsnginx13

  3. Now enable the SSL module on the server with the below command and restart the Nginx to activate.

    # apt install nginx
    

    tlsnginx14

  4. Check the Nginx version then, start and enable using the below commands.

    # nginx -v
    
    # systemctl start nginx.service
    
    # systemctl enable nginx.service
    

    tlsnginx15

  5. Run the below command and add the following basic configurations in that file.

    # vim /etc/nginx/conf.d/testlayerstack.com.com.conf
    

    tlsnginx16

  6. Then Save and Exit the file.

    NOTE: Replace testlayerstack.com in commands with your valid domain name.

  7. Reload the Nginx to activate the new configuration.

  8. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


CentOS


Requirements:

  1. Server running on CentOS 8.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Nginx version 1.13.0 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:

  1. Check the CentOS version by using the below command.

    # cat /etc/centos-release
    

    tlsnginx17

  2. Use the below command to ensure that the server is up to date.

    # dnf update
    

    tlsnginx18

  3. Install the needed packages by using the below command.

    # dnf install -y socat git wget unzip
    

    tlsnginx19


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc
    

    tlsnginx20

    tlsnginx21

    NOTE: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tlsnginx22

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d example.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d example.com --keylength ec-256
    

    tlsnginx23

    tlsnginx24

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tlsnginx25

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tlsnginx26

    tlsnginx27

  5. After running the above commands, your certificates and keys will be in the below-mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    


Step B - Configure Nginx for TLS 1.3

  1. Run the below command to install the Nginx.

    # dnf install nginx
    

    tlsnginx28

  2. Check the Nginx version then, start and enable using the below commands.

    # nginx -v
    
    # systemctl start nginx.service
    
    # systemctl enable nginx.service
    

    tlsnginx30

  3. Run the below command and add the following basic configurations in that file.

    # vim /etc/nginx/conf.d/testlayerstack.com.conf
    

    tlsnginx31

  4. Save the file and exit.

    NOTE: Replace testlayerstack.com in commands with your valid domain name.

  5. Reload Nginx to activate in the new configuration.

  6. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


Debian


Requirements:

  1. Server running on Debian.

  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

  3. A valid TLS certificate. Here using from Let’s encrypt.

  4. Nginx version 1.13.0 or greater.

  5. OpenSSL version 1.1.1 or greater.


Before the beginning:,

  1. Check the Debian version by using the below command.

    # lsb_release -ds
    

    tlsnginx32

  2. By using the below command, ensure that the server is up to date.

    # apt update && sudo apt upgrade
    

    tlsnginx33

  3. Install the needed packages by using the below command.

    # apt install git unzip curl sudo socat build-essential
    

    tlsnginx34


Step A - Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install acme.sh with the below commands.

    # git clone https://github.com/acmesh-official/acme.sh
    # cd acme.sh
    # ./acme.sh --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc
    

    tlsnginx35

    tlsnginx36

    NOTE: Replace the mail account with your mail account name.

  2. Check the version of acme.sh.

    # acme.sh --version
    

    tlsnginx37

  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    acme.sh --issue --standalone -d example.com --keylength 2048
    
    # ECC/ECDSA
    acme.sh --issue --standalone -d example.com --keylength ec-256
    

    tlsnginx38

    tlsnginx39

  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/testlayerstack.com
    
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
    

    tlsnginx40

    # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
    
    # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
    

    tlsnginx41

    tlsnginx42

  5. After running the above commands, your certificates and keys will be in the below-mentioned locations:

    RSA: /etc/letsencrypt/testlayerstack.com
    
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
    

Step B - Configure Nginx for TLS 1.3

  1. Install the latest version of Nginx.

    # apt install nginx
    

    tlsnginx43

  2. Check the Nginx version then, start and enable using the below commands.

    # nginx -v
    
    # systemctl start nginx.service
    
    # systemctl enable nginx.service
    

    tlsnginx44

  3. Run the below command and add the following basic configurations in that file.

    # vim /etc/nginx/conf.d/testlayerstack.com.conf
    

    tlsnginx45

  4. Then Save and Exit the file.

    NOTE: Replace testlayerstack.com in commands with your valid domain name.

  5. Now reload the Nginx to activate the new configuration.

  6. Verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

    https://www.ssllabs.com/ssltest/
    


Related Tutorials

What do you think about this article?

Rate this article
LayerStack Promotion
Need assistance?

Try this guide to receive free bundled services at signup on a new free account.

Sign Up

Your Feedback Is Important

We hope you’ll give the new products and updates a try. If you have an idea for improving our products or want to vote on other user ideas so they get prioritized, please submit your feedback on our Community platform. And if you have any questions, please feel free to ask in the Community or contact our Technical Support team.