0

How To Secure Nginx webserver with Let’s Encrypt on Ubuntu 18.04 using certbot

Introduction

Let’s Encrypt is a free, Automated and Opensource Certificate Authority(CA). For obtaining a certificate from Let’s Encrypt, you should demonstrate control over the domain.

You can use the certbot ACME(Automatic Certificate Management Environment) client to do the configuration.

Certbot

Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

Certbot might be right for you if you:

  • have comfort with the command line. Command line is a way of interacting with a computer by typing text-based commands to it and receiving text-based replies. Certbot is run from a command-line interface, usually on a Unix-like server. In order to use Certbot for most purposes, you’ll need to be able to install and run it on the command line of your web server.
  • have an HTTP website that’s already an online website. Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80.
  • and administer your website via a dedicated server – Dedicated ServerA dedicated server is a server that only hosts the contents or services for a single website administrator.

Using Certbot with Nginx

Make sure that you have ssh access to the server and you already have one website up and running on port 80

  • Go to certbot website
  • Choose Nginx and Ubuntu 18.04 from the dropdown as shown below
How To Secure Nginx webserver with Let's Encrypt on Ubuntu 18.04 using certbot

Once you selected both software and server, the page will be redirected to install instructions.

Add Certbot PPA

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

Install Certbot

$ sudo apt-get install certbot python-certbot-nginx

Certificate auto-configuration

Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.

$ sudo certbot --nginx

Below you can see the output of this command. You might be required to answer for

  • An email ID for notification
  • Accept terms and conditions
  • About sharing your email id
  • name of domains required to be activated for https
  • Redirect to https or not
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
If you really want to skip this, you can run the client with
--register-unsafely-without-email but make sure you then backup your account key
from /etc/letsencrypt/accounts
 (Enter 'c' to cancel): devopsbyte@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: devopsbyte.com
2: www.devopsbyte.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for devopsbyte.com
http-01 challenge for www.devopsbyte.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/devopsbyte
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/devopsbyte
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/devopsbyte
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/devopsbyte
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://devopsbyte.com and
https://www.devopsbyte.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=devopsbyte.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.devopsbyte.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/devopsbyte.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/devopsbyte.com/privkey.pem
   Your cert will expire on 2020-03-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Or, just get a certificate

If you just need the certificate and you don’t want certbot to update your configurations,

$ sudo certbot certonly --nginx

Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again unless you change your configuration. You can test the configuration by running below command

$ sudo certbot renew --dry-run

Confirm that Certbot worked

To confirm that your site is set up properly, visit https://domain.com in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

Verify the Cron is created

check /etc/cron.d/certbot file.

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Follow this link to know more about Nginx


Leave a Reply

Your email address will not be published. Required fields are marked *