Enabling SSL with Certbot and Nginx

Michael Schmidt
Published: Aug 24, 2024 by Michael Schmidt
Enabling SSL with Certbot and Nginx

Prerequisites #

Our guides are written with the expectation that the following requirements are met:

Why you need SSL and HTTPS? #

SSL (Secure Sockets Layer) is essential for secure communication between clients and servers by encrypting the data transmitted over the network. This encryption prevents unauthorized access, eavesdropping, and data tampering by securing sensitive information such as login credentials, personal data, and payment details.

HTTP:

Simple HTTP packets are plain text and can be read by any network router which used to serve your message to the server.

HTTPS:

HTTPS packets are using end to end encryption, with proper configuration no one can read the content of the message.

Using Certbot with Cloudflare #

With using Cloudflare with Proxied mode Certbot cannot be used!

https://storage.selfhost.guru/images/82fb8e67-2951-4b1b-b94e-de39fca726a6.webp

NOT RECOMMENDED, but you can still use Certbot SLL with disabling the Proxied mode

https://storage.selfhost.guru/images/68318293-d9e8-4132-b3d4-46bb20d328d2.webp

Install Certbot #

Using this simple command:

sudo DEBIAN_FRONTEND=noninteractive apt install certbot python3-certbot-nginx -y

(DEBIAN_FRONTEND=noninteractive is to ignore popping up Kernel update prompt)

Point your domain DNS to your server #

Certbot is not just a script it is an organization, which created to secure the internet, while you are creating a Certbot Cert for your server, they are checking after your existing HTTP connection for the server.

Check your Domain DNS setting here:

Common error message, while your domain DNS is not set up correctly:

Requesting a certificate for api.selfhost.guru

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: api.selfhost.guru
  Type:   unauthorized
  Detail: 2606:4700:3033::ac43:9728: Invalid response from http://api.selfhost.guru/.well-known/acme-challenge/2GTzb_F9VA5NI7F5ArNuET_7BDqpt2iylMbKAv-b1Fk: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

Using Certbot with Nginx #

You can obtain an SSL certificate using the appropriate command.

sudo certbot --nginx

First run: Certbot will ask about an Email-Address (this will be stored in a public registry!) connected to your domain.

Success response look like the following:

root@a:~# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): test.selfhost.guru
Requesting a certificate for test.selfhost.guru

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.selfhost.guru/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.selfhost.guru/privkey.pem
This certificate expires on 2024-11-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for test.selfhost.guru to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://test.selfhost.guru

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Edit your Nginx conf #

Certbot update your default Nginx config you can edit with the following command:

sudo nano /etc/nginx/sites-available/default

Certbot renew service #

Certbot certificate is valid for 90days, there is an automated service to process your renew:

Check renew service status:

sudo systemctl status certbot.timer

Response:

root@vmi2092881:~# sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sat 2024-08-24 10:24:41 CEST; 18min ago
    Trigger: Sat 2024-08-24 23:34:10 CEST; 12h left
   Triggers: ● certbot.service

Aug 24 10:24:41 vmi2092881 systemd[1]: Started Run certbot twice daily.

Manual Certbot renew #

You can run Certbot renew manually:

sudo certbot renew

For testing:

sudo certbot renew --dry-run