Let’s Encrypt is a Certificate Authority (CA). Through this, it may be easy to obtain and install the free TLS / SSL certificates. And also, it leads to enabling encrypted HTTPS on web servers. In addition to, it simplifies the process by providing a software client, like Certbot. The Certbot is trying to automate most (if not all) of the required steps. Currently, It has process automated the whole process of obtaining and installing a certificate through Apache and Nginx.
Through this article, we will focus on the way of automatically renew the certificate and obtain a free SSL certificate for Nginx on Ubuntu 18.04, through using Cabot.
Through this article, we will cover the way of using a separate Nginx server block file instead of the default file. It is most suitable to create a new Nginx server block for each domain. It will help to avoid common mistakes and maintain the default files as a fallback configuration.
These requirements are should be with you to follow the procedure.
- You should have to set up one Ubuntu 18.04, including a sudo non-root user and a firewall. (If you have no setup Ubuntu 18.04 you can refer to the articles which are relevant to set up the Ubuntu 18.04.
- A fully registered domain name is another requirement to follow the process. In this article, we use example.com as the domain name. You will be able to purchase a domain name on Namecheap, otherwise, you can get one for free on Freenom or you can use any domain, which you like.
- Following we mention two DNS records. Anyone of among that, you can set up for your server. Before using the one DNS record you can study the DNS and the way of adding them.
- It will point a record with example.com to the public IP address of your server.
- It will point a record with www.example.com to the public IP address of your server.
- Install an Nginx. Be sure to have you a Server block for your domain. As a example we can indicate this /etc/ nginx/ sites-available/ example.com.
Step 01: Installing Certbot
The first step is to install the Certbot software on your server, for using Let’s Encrypt to obtain an SSL Certificate.
When we consider the Certbot, it is in very active development. Because of that, many Certbot Packages are tending to outdated provided by Ubuntu. But, Certbot developers maintain the software repository developed by Ubuntu with the up-to-date version. Because of that, we will use that repository.
As a first step, we will add the repository;
$ sudo add- apt- repository ppa:certbot/ certbot
To accept it, you have to press the ENTER button.
Now install Certbot’s Nginx package with apt:
$ sudo apt install python- certbot- nginx
Now it is finished. Certbot is ready to use. But we have to verify some configuration of Nginx to configure SSL.
Step 02: Confirming Nginx’s configuration
With the ability of automatic configuration of SSL certificate, Certbot maybe wanted to find the correct server block in your Nginx configuration. Here it has done this through finding for a server_ name directives that match the domain you request for the certificate.
Normally, your server block for your domain may be located at /etc/ nginx/ sites-available/ example.com with the server_name directive.
You can check through open the server lock file for your domain using nano or your favorite text editor:
$ sudo nano / etc/ nginx/ sites-available/ example.com
Now you find the existing server _ name line. The appearance of it may be as follow:
/ etc/ nginx/ sites-available/ example.com
... server_name example.com www.example.com; ...
Now, if you are ok with this step, you will be able to move next step after exit your editor.
If it does not ok, you can update it appropriately. Then you save the file and quit from your editor. Finally verify the syntax of your configuration edits:
$ sudo nginx –t
If it displays an error message, then reopen the server block file and check whether there is available any typos or missing characters. If there are any missing characters you can correct it. After your configuration file’s syntax is correct, reload the Nginx to load the new configuration:
$ sudo systemctl reload nginx
Now, the Certbot will be able to find the correct server block and update it.
Now we move to our next step, which is updating the firewall to allow HTTPS traffic.
Step 03: Allowing HTTPS through the firewall
In this article, we mention you to enable the ufw firewall in the part of prerequisite guides. If you enable it already, you will need to adjust some settings to allow the HTTPS traffic. After registration of Nginx a few profiles with ufw upon installation.
You can current setting see through the typing.
$ sudo ufw status
After adjusting the setting, it will probably display as follow. the meaning of that is only HTTP traffic is allowed to the webserver.
It allows to Nginx HTTP profile in addition to HTTPS, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Then your status now looks like as follow:
$ sudo ufw status
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Step 04: Obtaining an SSL certificate
There have various methods to obtain the SSL certificate through plugin by Certbot providers. The Nginx plugin will concern about reconfiguring Nginx and reload the config whenever necessary. Type the following code to use the plugin.
$ sudo certbot --nginx -d example.com -d www.example.com
This runs certbot with the –nginx plugin, to specify the names we would like the certificate to be valid for, using the –d.
If you run the certbot in first time, then you will be prompted to enter an email address and you have to agree to the terms of service condition of it. After that, the Certbot will start to communicate with the Let’s Encrypt server. Then you have to run a challenge to verify that you control the domain you are requesting a certificate for.
If you are successful until that, it will ask how you would like to configure your HTTPS setting by certbot.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
In here, Select the number as your choice and press the ENTER button. Then, it will start to update the configuration and Nginx will reload to pick up the new settings. then you will receive a message with including the process has success and mentioning the place which the certificate has been stored. The message may appear as follow:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificate has been download, install and load. Now you notice your security indicators through trying to reload your website using https://. If there is the display of a lock with green color, the meaning of that is your site is properly secured. Through using the SSL Labs Server Test, you can test your server and it will receive an A grade.
We will be able to finish the process after testing the renewal process.
Step 05: Verifying certbot auto-renewal
The certificates of Let’s Encrypt are valid for ninety days (90days) only. Because of that, users are being encouraged to automate their certificate renewal process. It will take care the Certbot package which we installed by adding a renew script to /etc/ cron.d. This script runs two times at a day. And it automatically forces to update any certificate when it reaches to thirty days (30 days) of expiration.
You can do a dry run with Certbot, to test the renewal process,
$ sudo certbot renew -- dry- run
Now, if there are no errors when you are all set. Now, the Certbot will update your certificates and reload the Nginx to pick up the changes. If it fails the automated renewal process, Let’s Encrypted will send you a message to the email you specified. Here, it will warn you that your certificate is to about to expire.
In this article, we discuss the way of installed the Let’s Encrypt client certbot, downloaded the SSL certificates for your domain, configured the Nginx to use these certificates, and set up automatic certificate renewal. If you want, you also can try these steps and we hope this article will help you to get knowledge regarding the way of secure Nginx with Let's Encrypted on Ubuntu 18.04