Get free SSL certificate by enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to get a free SSL certificate for Nginx on Ubuntu 16.04 and set your certificate to renew automatically.
All I script is the command you will use on the ubuntu connection terminal.
Step 1 - Installing Certbot:
sudo add-apt-repository ppa: certbot / certbot
You will need to press ENTER to accept. Then update the package list to get the package information from the new repository:
sudo apt-get update
And finally, install the Certbot Nginx package:
sudo apt-get install python-certbot-nginx
Certbot is now ready for use, but in order for it to configure SSL for Nginx, we need to check some of the Nginx settings.
Step 2 - Configuring Nginx:
Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your configuration. It does this by looking for a server_name directive that matches the domain for which you are requesting a certificate.
If you are starting with a new installation of Nginx, you can update the default configuration file. Open it with your favorite text editor at / etc / nginx / sites-available / default and find the existing servername line and replace the underscore with your domain name.
Save the file and exit its editor. Reload Nginx to load the new configuration.
sudo systemctl reload nginx
Certbot can now find the correct server block and update it. We will then update our firewall to allow HTTPS traffic.
Step 3 - Enabling HTTPS Through the Firewall:
To additionally allow HTTPS traffic, we can allow the Nginx Full profile and then exclude the redundant Nginx HTTP profile tolerance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
To check your status use:
sudo ufw status
Your status should look like this now:
Output
Status: active
To Action From
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
We are now ready to run Certbot and fetch our certificates.
Report post
Posted March 24, 2018 (edited)
Hello everyone, today I will teach you how to make your website more secure by getting a free SSL certificate by enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to get a free SSL certificate for Nginx on Ubuntu 16.04 and set your certificate to renew automatically.
All I script is the command you will use on the ubuntu connection terminal.
Step 1 - Installing Certbot:
sudo add-apt-repository ppa: certbot / certbot
You will need to press ENTER to accept. Then update the package list to get the package information from the new repository:
sudo apt-get update
And finally, install the Certbot Nginx package:
sudo apt-get install python-certbot-nginx
Certbot is now ready for use, but in order for it to configure SSL for Nginx, we need to check some of the Nginx settings.
Step 2 - Configuring Nginx:
Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your configuration. It does this by looking for a servername directive that matches the domain for which you are requesting a certificate. If you are starting with a new installation of Nginx, you can update the default configuration file. Open it with your favorite text editor at / etc / nginx / sites-available / default and find the existing server_name line and replace the underscore with your domain name. Save the file and exit its editor. Reload Nginx to load the new configuration.
sudo systemctl reload nginx
Certbot can now find the correct server block and update it. We will then update our firewall to allow HTTPS traffic.
Step 3 - Enabling HTTPS Through the Firewall:
To additionally allow HTTPS traffic, we can allow the Nginx Full profile and then exclude the redundant Nginx HTTP profile tolerance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
To check your status use:
sudo ufw status
Your status should look like this now:
Output
Status: active
To Action From
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
We are now ready to run Certbot and fetch our certificates.
Step 4 - Obtain an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the configuration as needed:
sudo certbot --nginx -d example.com -d www.example.com
Where is example in the above command change to your domain.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After that, certbot will communicate with the Let's Encrypt server and perform a challenge to verify that you control the domain for which you are requesting a certificate. If this succeeds, certbot will ask how you would like to configure your HTTPS settings.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS by removing HTTP access.
-------------------------------------------------- -----------------------------
1: No Redirection - No more changes to the web server configuration.
2: Redirect - Redirect all requests to secure HTTPS access. Choose this for
new sites, or if you're sure your site works over HTTPS. You can undo it
change by editing the configuration of your web server.
-------------------------------------------------- -----------------------------
Select the appropriate number [1-2] and then [enter] (press 'c' to cancel):
Select your choice and press ENTER. The setting will be updated and Nginx will be reloaded to get the new settings. certbot will end with a message stating that the process was successful and where your certificates are stored:
Output
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved to
/etc/letsencrypt/live/example.com/fullchain.pem. Your certificate
expire on 2017-10-23. To obtain a new or adjusted version of this
certified in the future, simply run certbot again with the
"certonly" option. Non-interactively renew * all * your
certificates, perform "certbot renew"
- Your account credentials have been saved to your Certbot
configuration directory in / etc / letsencrypt. You should do a
Secure backup of this folder now. This configuration directory
also contains certificates and private keys obtained by Certbot as well
Making regular backups of this folder is ideal.
- If you like Certbot, consider supporting our work:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded automatically. Try reloading your site using https: // and watch your browser's security indicator. It should indicate that the site is protected properly, usually with a green lock icon. Let's finish by testing the renewal process.
Step 5 - Verifying Certbot Automatic Renewal
Certificates are only valid for ninety days . This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us. To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run
If you don't see any errors, it's all set. When necessary, Certbot will renew your certificates and reload Nginx for changes. If the automated renewal process fails, the software will send a message to the email you specified notifying you when your certificate is about to expire.