NOTE & BLOG

    Configuring SSL for HTTPS with Certbot + Let's Encrypt + Nginx

    Jan 3, 2023

    Let's Encrypt makes HTTPS available to everyone for free. In this article, we will introduce how to use the Certbot application tool to configure an SSL certificate for HTTPS of a domain name on a personal server.

    What's the Certbot

    When we apply for and use Let's Encrypt's free HTTPS certificate, we need a certificate application and management tool. Then certbot is the officially recommended application tool. We use this tool to apply for and manage our certificates.

    certbot supports most Linux distributions and is easy to use. We download and install them directly:

    My system here is Ubuntu. If it is CentOS or other distributions, the installation method should be similar. I use the official package to install it directly and quickly.

    You can read [here] about what HTTPS is (https://juejin.im/entry/58d7635e5c497d0057fae036), and you can read [here] (https://letsencrypt.org/zh-cn/getting-started/) about what Let's Encrypt is.

    sudo apt update && sudo apt install certbot

    After the installation is successful, you need to use the sudo command to run it. Let's run it and see:

    sudo certbot -h

    Get certificate

    After installing the management tools, we need to apply for a certificate. My web server here is NGINX, and I do not have a static directory for the website, so I use this command to apply:

    sudo certbot certonly --standalone -d example.com -d www.example.com -d m.example.com

    If your website has a static directory, you can change --standalone to --webroot and add the -w parameter to apply, similar to this:

    sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

    When you use --standalone to apply for a certificate, you need to turn off nginx, because certbot will enable port 443 to verify your domain name information. If nginx is not turned off, the port will be occupied, so we turn off nginx. I am using ubuntu here. So use this command to shut down nginx:

    sudo services nginx stop

    Configure certificate

    After the certificate application is completed, the certificate will exist in the /etc/letsencrypt/live/ directory. Let's check that there are no problems and then open the nginx configuration file to modify the certificate loading path:

    cd /etc/nginx/site-enabled/

    Edit configuration file

    sudo vim example.com.conf

    With such content,

    server {
        server_name example.com www.example.com;
        listen 443;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        location / {
           proxy_pass http://127.0.0.1:3999;
           proxy_http_version 1.1;
           proxy_set_header X_FORWARDED_PROTO https;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Host $host;
        }
    }

    After saving and exiting, use the nginx test command to check whether it work correctly:

    sudo nginx -t

    If there is no problem, reload it

    sudo service nginx reload

    Start the nginx

    sudo service nginx start

    After the startup is successful, you can enter the URL to visit and check whether the certificate activation is successful: https://example.com If the certificate is displayed normally, it means success.

    Update certificate

    Because the Let's Encrypt certificate is only valid for 90 days, when it expires, we need to refresh the validity period of the certificate before we can continue to use it. Refresh the certificate validity period. Because we are using the --standalone mode to install the nginx certificate, we need to refresh the certificate. Sometimes you still need to shut down nginx. Use this command to shut down nginx:

    sudo service nginx stop

    Then run this command to refresh:

    certbot renew --dry-run

    Or we can use the system's timer and refresh it when the time is about to end. Let's Encrypt certificate officials say that the certificate expiration time must be less than one month before it can be refreshed. We can configure the refresh time every more than two months That's it. Here we write a cron plan to perform the update operation at 2:15 am every two months.

    15 2 * */2 * root certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

    Then the execution of this command requires the permissions of the root user. We log in as the root user:

    sudo su

    Then create a file, call it cronfile, and then write this timing plan:

    touch cronfile

    echo '15 2 * */2 * root certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"' > ./cronfile

    After finishing, run the plan:

    crontab -u root ./cronfile

    After successful execution, use -l to view the plan:

    crontab -l

    Finish

    Our certificate application ends here, 👏

    This article is reprinted from the blog of The Universe in the Shell

    # LINUX# O&M