Skip to content

Instantly share code, notes, and snippets.

@bidipeppercrap

bidipeppercrap/letsencrypt-nginx-ubuntu.md

Last active July 30, 2020 10:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bidipeppercrap/a98440437aeaba838e1a36f842b815b1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bidipeppercrap/a98440437aeaba838e1a36f842b815b1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
letsencrypt-nginx-ubuntu.md

Securing Nginx with Let's Encrypt on Ubuntu

Suppose we have configured our Nginx server block with this simplest form of config:

upstream service_api {
    localhost:3000;
}

server {
    listen 80;
    listen [::]:80;
    
    server_name my-domain.com www.my-domain.com;
    
    location / {
        proxy_pass http://service_api;
    }
}

Now we want to secure it with HTTPS.
The free way to do it is by using Let's Encrypt Certbot.

1. Installing Certbot

Add repository:
sudo add-apt-repository ppa:certbot/certbot

Install Certbot for Nginx:
sudo apt install python-certbot-nginx

2. Firewall Configuration

Let's allow Nginx HTTPS service on firewall:
sudo ufw allow 'Nginx Full'

Check if its allowed:
sudo ufw status

If you see Nginx Full ALLOW and Nginx Full (v6) ALLOW then you are good to go.

3. Obtaining SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
sudo certbot --nginx -d my-domain.com -d www.my-domain.com

If that successfull, certbot will ask you a few questions.
Be sure to honestly answer those questions!

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

If you see this question, type 2 if you want to auto-redirect http:// to https://.
If you don't wanna auto-redirect, type 1.

4. Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment