Let's Encrypt is a certification authority that offers a simple way to create and install TLS/SSL certificates. The process is simplified using the Certbot client, which automates most, if not all, of the necessary steps.
For the following steps, you will need:
- Ubuntu 16.04 server, a non-root user with sudo privileges, and a firewall.
- A domain, for example, "yourdomain.com."
- Configured DNS records for your server.
- An "A" record pointing "yourdomain.com" to your server's public IP address.
- An "A" record pointing "www.yourdomain.com" to your server's public IP address.
- Nginx installed.
1. Installation of the Certbot Client
The first step in using Let's Encrypt to create an SSL certificate is to have the Certbot installed on your server. Certbot is actively developed, so the packages provided by Ubuntu are often outdated. Therefore, we will add a repository from the developer that contains the latest packages.
Add the repository:
sudo add-apt-repository ppa:certbot/certbot
Then, update the package list:
sudo apt-get update
Now you can install the Certbot Nginx package:
sudo apt-get install python-certbot-nginx
Certbot is now ready for use, but to configure SSL for Nginx, we need to verify the Nginx configuration.
2. Confirm Nginx Configuration
Certbot needs to be able to find the correct "server" block for automatic SSL configuration. Specifically, Certbot looks for the "server_name." Our "server" block is located in the directory /etc/nginx/sites-available/yourdomain.com
To confirm, you can use the "nano" editor or your favorite text editor:
sudo nano /etc/nginx/sites-available/yourdomain.com
Look for the line with "server_name," which should look something like this:
server_name yourdomain.com www.yourdomain.com;
If it looks like this, you can exit the editor and proceed to the next step. If it doesn't, adjust the line according to the template. Then, save the file and check the syntax:
sudo nginx -t
If there is an error, open the file again in the text editor to check for typos or missing characters. Once the file is correct, reload Nginx:
sudo systemctl reload nginx
3. Allow HTTPS through the Firewall
You can check the current firewall status with:
sudo ufw status // Output: Status: active
You can view the available profiles with:
sudo ufw app list
To allow HTTPS traffic, you need to enable the "Nginx Full" profile:
sudo ufw allow 'Nginx Full'
Now you can use Certbot to create a certificate.
4. Get an SSL Certificate
Certbot offers various ways to obtain an SSL certificate through different plugins. The Nginx plugin takes care of Nginx configuration and updates as needed.
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
If this is your first time using Certbot, you'll be prompted to enter an email address and agree to the terms of use. Certbot will then communicate with Let's Encrypt servers, run domain verification tests, and ask how you'd like to configure HTTPS.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
The configuration will be updated, and Nginx will reload to receive the new settings. Certbot will display a message confirming the successful creation of the SSL certificate. Your certificate is now downloaded, installed, and active. You can test your website using "https://." Your browser should now show that the page is secure, most likely with a green lock icon.
5. Automatic Certificate Renewal
SSL certificates are valid for only 90 days. After that, you will need to renew them. For automatic renewal, you can use the "cron" service.
Open the "cron" configuration file:
sudo crontab -e
Choose your preferred editor for use and add the following line at the end of the configuration file to renew the certificate daily at 3:15 AM:
15 3 * * * /usr/bin/certbot renew --quiet
This line will renew the certificate at the specified time.