Let’s Encrypt

Use Lets Encrypt with Nginx

January 27th, 2024|Guides, Techy Stuff|
Share

If you’re hosting a web page that you intend for anyone else to access, you really should make sure you have an SSL certificate. Nowadays any major web browser is going present a warning to users if they browse to a page without https, and users in many cases will click away or may not know how to proceed. Fortunately, adding a certificate with Lets Encrypt is both free and painless.

First things first, you’ll want to have completed the following:

  • Have a server setup and updated.
  • Nginx installed and configured with a server configuration for your hostname(s).
  • A domain name, with an A record created pointing to your servers IP address. You may or may not want to include both records with “www” and without. You may also use a subdomain.

Install Certbot

If you haven’t already, install Certbot

Bash
sudo apt install certbot python3-certbot-nginx

Verify Nginx Configuration

For this guide it’s assumed you have set up Nginx and have valid configuration files for the hostnames to be enabled for HTTPS. As a sanity check, make sure the current config is valid. Open and files and review them, then perform a validation.

Bash
sudo nginx -t

If you make further changes to your Nginx config as part of this process, re-verify the config and once done restart the Nginx service

Bash
sudo systemctl reload nginx

Update Firewalls (Allow port 443)

If you followed the previous setup guide, then port 443 may currently not be open to inbound traffic. To allow people to connect to your server over https, run the following if you are using UFW as your firewall. If you are using a different firewall, then follow whatever steps are necessary to open inbound traffic on port 443.

Bash
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw status

Confirm that the following rules are active (if using UFW).

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Generate a New Certificate

With the above out of the way, it’s time to generate a certificate. To do this simply run the following. If you are only configuring one address, simply remove the second -d and its URL.

Bash
sudo certbot --nginx -d your-url.com -d www.your-url.com --elliptic-curve=secp384r1

The above works equally for subdomains.

As of version 2.0 of Certbot, by default the certificate issued use ECDSA. Prior to this RSA certificates were issued. ECDSA has performance advantages over RSA while being a secure and is now days broadly recommended for use with SSL certs. In this guide we have upped the security by outputting ECDSA P-384. The ‘–elliptic-curve=secp384r1‘ is optional and you can omit it to generate a P-256 cert, but performance with P-384 is still good. For new certificates I wouldn’t recommend going back to RSA.

When prompted supply a valid email address (so that you get warnings of expiring certificates), and feel free to opt out of any future communications.

(Optional) Change Existing RSA Certificates to ECDSA

If you are reading this and have an existing RSA certificate you would like to change to ECDSA p-384, then you can use the following

Bash
certbot reconfigure --cert-name your-url.com --elliptic-curve=secp384r1

Test the reconfigured rule using the following, which will simulate the creation of a new certificate.

Bash
certbot renew --cert-name your-url.com --dry-run

Once satisfied that there are no errors and you are getting the correct certificate type, run the following to force a recreation of your certificate, this time with EDCSA.

Bash
certbot renew --cert-name your-url.com --force-renewal

Verify Certificate Auto-Renewal

With the certificate generated, check that you have a scheduled task in place to auto renew the certificate. This is automatically set up when creating the certificate and no manual changes should be necessary.

Bash
sudo systemctl status certbot.timer

The output will be something like this

root@storage:~# sudo systemctl status certbot.timer
? ? certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled)
     Active: active (waiting) since Fri 2024-01-26 11:39:48 AEDT; 1 day 10h ago
    Trigger: Sun 2024-01-28 05:46:11 AEDT; 7h left
   Triggers: ? certbot.service

Jan 26 11:39:48 storage systemd[1]: Started certbot.timer - Run certbot twice daily.

Nginx Review

You should now have a valid SSL certificate that will be used by Nginx when serving pages. Having created a new certificate, you may want to open your Nginx site configuration. You will see that Certbot has updated the configuration to have the server listen on port 443 (https), to redirect port 80 traffic (http) to 443, and to update the paths of your certificates. Depending on your site, you may need to update its pages to use https.

Conclusion

If you’ve followed the above you should now have an ECDSA certificate issued by Lets Encrypt that will auto renew for you. Anyone accessing your page will no longer get any https related warnings or errors and your ability to appear in search results etc improved.