I'll show you how to use "Let’s Encrypt" (a Certificate Authority, or CA) to install free SSL certificate, thereby enabling encrypted HTTPS communication with your webserver.
Together with Certbot the entire process is mostly automated and requires few manual steps. In addition certbot will ensure your certificate renews automatically.
This tutorial builds on top of "Hosting a Website with nginx on Genesis Cloud", so make sure you've already set up Nginx and a static website.
The example-website domain we'll be using is the same as in the previous Nginx tutorials: intuitive.run
Step 1: Install Certbot
First, we need to add the certbot repository:
$ sudo add-apt-repository ppa:certbot/certbot
Confirm with ENTER.
Then, let's update it:
$ sudo apt update
Now we can install the certbot-nginx package:
$ sudo apt install python-certbot-nginx
Step 2: Verify Nginx Config
In order to automatically configure SSL, certbot needs to find the right nginx server block. It does this, by checking the key server_name in the file /etc/nginx/sites-available/intuitive.run
If you've followed thee previous tutorial, this should already be correct. However, to make sure let's check it directly with the cat command (or any other text editor like nano):
It should say (with your domain name):
server_name intuitive.run www.intuitive.run;
Step 3: Adjusting the firewall and allowing HTTPS
Next, we need to check if the ufw (uncomplicated firewal) is allowing the right traffic (HTTPS in our case).
We do this by first checking the application configurations that ufw knows via:
$ sudo ufw app list
Per default, it should show four possible profiles:
- Nginx Full: Opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
- Nginx HTTP: Opens only port 80 (normal, unencrypted web traffic)
Nginx HTTPS: Opens only port 443 (TLS/SSL encrypted traffic)
OpenSSH: Opens only port 443 (to allow the ssh connection)
To check the active profiles type:
$ sudo ufw status
If it shows "Status: inactive", enable it with sudo ufw enable.
Which will show that Nginx Full (HTTP+HTTPS), Nginx (HTTP) and SSH is allowed (for IPv4 and IPv6):
As Nginx HTTP is redundant, we'll delete it:
$ sudo ufw delete allow 'Nginx HTTP'
After that the command $ sudo ufw status should reveal the following:
Step 4: Get the SSL Certificate
Certbot helps you actually getting the SSL certificate you need to enable HTTPS on your site. It will reconfigure Nginx and reload the config if necessary. To get started, type the following (replacing intuitive.run with your domain):
$ sudo certbot --nginx -d intuitive.run -d www.intuitive.run
After that it'll ask you weather you want to redirect all traffic to HTTPS or not, so chose either 1 or 2:
Congratulations! You now have now a valid certificate for your domain. Check if it works by visiting your domain in a browser of your choice: www.intuitive.run
It should indicate that the site is HTTPS secured, usually with a lock next to the URL.
Step 5: Verify that your Certbot Auto-Renewal Works
Let’s Encrypt’s certificates are only valid for ninety days. The certbot package we installed takes care of this for us by adding a renewal script that runs twice daily to /etc/cron.d. This cron job will automatically renew any certificate if it's within thirty days of expiration.
To test the renewal process, you can type:
$ sudo certbot renew --dry-run
If you see no errors, your website is looking into a bright, certified and encrypted future with auto-renewal! :)