Secure Nginx using HTTPS with Let's Encrypt
To configure HTTPS for Nginx using Let's Encrypt to obtain SSL certificates, the following steps should be performed.
This procedure assumes that:
- You have an Nginx web server in place and working.
- You have one or more domain names properly configured.
1 - Download the Let's Encrypt client
The first step to using Let's Encrypt to obtain an SSL certificate is to install the certbot
software on your server.
Download the following package using the package manager for your server:
python-certbot-apache
2 - Open up firewall
If you have any firewall configured, ensure to allow HTTPS traffic on port 433.
3 - Set up the SSL Certificate
1) To ensure that the directory is accessible to certbot
for validation, the following location block must be added to the server block file.
By default, the file is located at /etc/nginx/sites-available/default
.
Edit the file and add location block inside the server block as shown here:
server {
. . .
location ~ /.well-known {
allow all;
}
. . .
}
2) You will need to take note of what your document root is set to inside the server block by searching for the root
directive, as the path is required to use the Webroot plugin.
3) Save and exit the file.
4) Run the Nginx configuration test to ensure the syntax is correct.
5) If the syntax is ok, restart the server to incorporate the new changes.
6) Now the certbot command can be used to generate the SSL certs for your domain name.
The placeholder < document root > will be used in place of the correct root from the root
directive in the server block.
An example of a root would be /var/www/html however yours may be different.
The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
In this case, example.com as an example domain. Multiple domains can be added using the -d option
The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason, it is recommended that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:
~$ certbot certonly --webroot --webroot-path=< document root > -d example.com -d www.example.com
For this example, the base domain will be example.com.
7) You will be prompted to provide an email address for lost key recovery and notices, and you will be need to agree to the Let's Encrypt terms of service. You'll then be asked to choose between enabling both http
and https
access or force all requests to redirect to https
.
It is recommended to force all requests to redirect to https
for maximum security.
8) When the installation is finished, you should be able to find the generated certificate files at:
/etc/letsencrypt/live
4 - Configure SSL/TLS on Nginx web server
Now that the SSL certificates are generated, Nginx must be configured to use them.
Edit the server block file again and delete or comment out the following lines:
listen 80 default_server; listen [::]:80 default_server ipv6only=on;
CODETo configure Nginx to listen on port 443 with SSL enabled, add the following lines inside the server block:
listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
CODE
4 - Set Up Auto Renewal
Let's Encrypt SSL certificates are only valid for 90 days, so it is advised to set up an auto renewal to ensure the certificates remain valid.
To do this use crontab:
~$ sudo crontab -e
CODEYour text editor will open the default crontab which is a text file with some help text in it. Paste the following line at the end of the file, then save and close it:
15 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
CODE
The 15 3 * * * part of this line means "run the following command at 3:15 am, every day". You can choose and configure any time to run the command.
This will run the renew command for Certbot and will check all certificates installed on the system and update any that are set to expire in less than thirty days.
It will also send the output to the le-renew.log file.