Setup Let’s Encrypt With Nginx on Ubuntu 18.04 & 16.04 / CentOS 7 / Debian 9

0

Let’s Encrypt is a widely known certificate authority that provides free X.509 SSL certificates for TLS encryption. It was launched in April 2016.

Let’s Encrypt installation is an automated process to eliminate the current complex process of certificate creation, validation, signing, implementation, and renewal of certificates for secure websites.

To generate a certificate for your domain, you should have terminal/shell access and Certbot ACME client. It handles certificate issuance and installation with no downtime.

Currently,  Apache, Nginx, Plex, and Haproxy are supported for the automated process.

From my experience. I suggest you not to go through an automated process as it may mess up your web server configuration if you are not correctly answered for questions it asks during the process.

The manual process is also easy to follow.

1. Create a certificate for your domain.
2. Update Nginx configuration to use the created certificate.

Prerequisites

You should have LEMP stack configured on Ubuntu / CentOS / Debian.

READ: How to Install LEMP Stack on Ubuntu 18.04 / Ubuntu 16.04

READ: How to Install LEMP Stack on CentOS 7 / RHEL 7

READ: How to Install LEMP Stack on Debian 9

Install Let’s Encrypt

Log in as the root or switch to the root user.

su -

OR

sudo su -

Certbot is available on EPEL repository for CentOS, and Certbot PPA should be configured on Ubuntu.

### Ubuntu 18.04 / Ubuntu 16.04 ###

apt-get update
apt-get install -y software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update

### CentOS 7 ###

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

### RHEL 7 ###

subscription-manager repos --enable rhel-7-server-optional-rpms

Now, install the certbot client.

### Ubuntu 18.04 / Ubuntu 16.04 ###

apt-get install -y python-certbot-nginx

### CentOS 7 / RHEL 7 ###

yum install -y certbot

### Debian 9 ###

apt-get install -y python-certbot-nginx -t stretch-backports

Install Nginx

Follow the links and install the Nginx web Server.

READ: How to Install LEMP Stack on Ubuntu 18.04 / Ubuntu 16.04

READ: How to Install LEMP Stack on CentOS 7 / RHEL 7

READ: How to Install LEMP Stack on Debian 9

Verify the web server by going to the following URL.

http://your.ip.add.ress

You should get the Nginx’s default web page.

Setup Let's Encrypt With Nginx on Ubuntu 18.04 - Nginx's Default Page
Setup Let’s Encrypt With Nginx on Ubuntu 18.04 – Nginx’s Default Page

Create Virtualhost

We will now create a virtual host configuration file for the domain web.itzgeek.com.

This virtual host serves the HTTP version of your domain.
vi /etc/nginx/conf.d/web.itzgeek.com.conf

Use the below information.

server {
   server_name web.itzgeek.com;
   root /opt/nginx/web.itzgeek.com/html;

   location / {
       index index.html index.htm index.php;
   }
}

Create a document root to hold your HTML files.

mkdir -p /opt/nginx/web.itzgeek.com/html

Change the permission of the directory.

chown -R nginx:nginx /opt/nginx/

Place the test HTML file in the document root of your domain.

echo "This is a test site @ web.itzgeek.com" >/opt/nginx/web.itzgeek.com/html/index.html

Restart the Nginx service.

systemctl restart nginx

Make DNS A Record

Access your DNS manager or Domain registrar and create an A record for your domain. Ex: web.itzgeek.com.

Setup Let's Encrypt With Nginx on Ubuntu 18.04 - Create A record
Setup Let’s Encrypt With Nginx on Ubuntu 18.04 – Create A record

Wait for five to ten minutes to let the record propagate.

Create a certificate for your domain

Use the certbot command to create a Let’s Encrypt certificate manually.

certbot certonly --webroot -w /opt/nginx/web.itzgeek.com/html/ -d web.itzgeek.com

-w: Path of your document root.
-d: FQDN

Follow the interactive prompt and generate the required certificate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): itzgeek.web@gmail.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Using the webroot path /opt/nginx/web.itzgeek.com/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.itzgeek.com/privkey.pem
   Your cert will expire on 2018-09-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Update web server configuration

Update the Nginx server configuration to use the created certificate. Edit the configuration file.

vi /etc/nginx/conf.d/secureweb.itzgeek.com.conf

Update the below information.

server {
   server_name web.itzgeek.com;
   root /opt/nginx/web.itzgeek.com/html;
   listen 443 ssl;
   ssl on;
      ssl_certificate /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/web.itzgeek.com/privkey.pem;
      ssl_trusted_certificate /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

access_log /var/log/nginx/web.itzgeek.com.access.log;
error_log /var/log/nginx/web.itzgeek.com.error.log;

   location / {
       index index.html index.htm index.php;
   }
}

Redirect HTTP requests to HTTPS with Nginx

We will now configure HTTP to HTTPS redirection on Nginx server so that the traffic comes to non-HTTPS site redirect to the HTTPS site. Here, we will edit the same configuration file we created for HTTP version of the site.

vi /etc/nginx/conf.d/web.itzgeek.com.conf

Use the below information.

server {
   server_name web.itzgeek.com;
   root /opt/nginx/web.itzgeek.com/html;

   location / {
       index index.html index.htm index.php;
	   return 301 https://web.itzgeek.com$request_uri;
   }
}

Restart the Nginx service.

systemctl restart nginx

Firewall

Configure the firewall to allow HTTPS requests.

FirwallD:

firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

UFW:

ufw allow 443/tcp
ufw reload
ufw enable

Verify SSL Certificate

Verify the Let’s Encrypt certificate by visiting HTTPS version of your website.

http://your-http-web-site

OR

https://your-https-web-site

You should get HTTPS version of your site now.

Setup Let's Encrypt With Nginx on Ubuntu 18.04 - HTTPS Page
Setup Let’s Encrypt With Nginx on Ubuntu 18.04 – HTTPS Page

Test SSL Certificate

Test your SSL certificate for any issues and its security ratings by going to the below URL.

https://www.ssllabs.com/ssltest/analyze.html?d=web.itzgeek.com
Setup Let's Encrypt With Nginx on Ubuntu 18.04 - SSL Server Test
Setup Let’s Encrypt With Nginx on Ubuntu 18.04 – SSL Server Test

Certificate Renewal

Let’s Encrypt certificates have a less validity, about 90 days, and it is highly advisable to configure the cron (Linux Scheduler) job to renew your certificates before they expire.

Before you configure the cron job, run a below command to simulate automatic renewal of your certificate.

certbot renew --dry-run

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/web.itzgeek.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/web.itzgeek.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

The above output confirms that the renewal is working properly. Now, schedule a cron job for the below command.

certbot renew

We recommend configuring the cron job to run twice per day.

That’s All.

Further Reading

You might also like
Shares