Overview
With Let’s Encrypt’s launch a whole new world was opened up for those wishing to secure their websites, easily and without huge expenses. A typical certificate prior to Let’s Encrypt would run web site operators several hundreds a year. In this tutorial, you will learn how to request free certificates and automate the renewal process using Let’s Encrypt with NGINX.
Let’s Encrypt provides a tool named Certbot, and its purpose is to make managing certificates easier, as well as help automate the process. Certbot is found in a PPA maintained by Let’s Encrypt, which you will need to install.
Installing PPA
Let’s Encrypt maintains an Ubuntu PPA that provides packages to ease certificate management. The main tool, certbot, is designed for automating configurations for Apache and Nginx, as well as managing certificates that have been requests.
To add the Let’s Encrypt PPA to Ubuntu, run the following commands.
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
To install Certbot and the Nginx plugin, run the following command.
sudo apt-get install certbot python-certbot-nginx
Configuring NGINX and Requesting Certificates
The NGINX plugin for Certbot will register new certificates for you and then update your NGINX configuration. If you are not using the default enabled site, you can specify that wish to manual update the configuration.
Run the certbot command with the –nginx flag.
sudo certbot --nginx
You will be prompted for your email address, if an email address isn’t already registered for the host. When registered, you will be asked for a domain name or list of domain names to add to your certificate.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
The hostname(s) must be registered in DNS and resolvable. The IP address returned by DNS must also match the server’s local IP address. Certbot will validate this when requesting your certificate.
Obtaining a new certificate Performing the following challenges: http-01 challenge for blog2.rigpig.ca Waiting for verification… Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
If the requests is successful, you will be asked with you want Certbot to automatically update NGINX or not. As mentioned previously, the configuration applies to the default site. Any custom sites will need to be manually configured.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Your certificate is now installed and, if you chose the automatic NGINX configuration, your server is ready to support TLS.
Congratulations! You have successfully enabled https://blog2.rigpig.ca You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog2.rigpig.ca IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/blog2.rigpig.ca/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/blog2.rigpig.ca/privkey.pem Your cert will expire on 2019-08-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The configuration Certbot generates will look similar to the following example. It is a basic server configuration for handling secure traffic on port 443. The paths of the certificates generated by Let’s Encrypt will be added to the config as well.
server {# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name blog2.rigpig.ca;
# managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
#
include snippets/fastcgi-php.conf;
#
#
# With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate
/etc/letsencrypt/live/blog2.rigpig.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog2.rigpig.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}