Free SSL Installation to secure Nginx
Have you ever wondered what is that lock sign beside your url on web browser. It is sign that site is SSL enabled and secured. SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.
For more details on SSL check this.
There are many vendors who provides SSL installation with some cost. Today we will learn how to do free SSL installation to secure nginx on Ubuntu 20.04 with the help of Lets Encrypt
Lets Start.
Prerequisites :
- Server where we will be performing these steps. we will do these steps on Ubuntu 20.04 . Check this link if you want to get free ubuntu machine.
- Server should be sudo-enabled not root user. Check this link to read about adding sudo user
- Firewall should be enabled.
- A registered domain name. This tutorial will use elitetribune.com
- Both of the following DNS records set up for your server.
- An A record with elitetribune.com pointing to your server’s public IP address.
- An A record with www.elitetribune.com pointing to your server’s public IP address.
- Nginx installed and have a server block for your domain. This tutorial will use /etc/nginx/sites-available/elitetribune.com . Check this link to install nginx.
Step 1: Installing Certbot
Install Certbot and it’s Nginx plugin with apt:
$ sudo apt install certbot python3-certbot-nginxOnce installed, Now we will do some configuration.
Step 2: Update server name in Nginx Configuration
In /etc/nginx/sites-available/elitetribune.com, check server_name line and update it with your domain
...
server_name elitetribune.com www.elitetribune.com;
...
Reload nginx
$ sudo systemctl reload nginx
Step 3: Update Firewall to allow HTTPS
check current firewall status:
$ sudo ufw status
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
Now we will allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance
$ sudo ufw allow 'Nginx Full' $ sudo ufw delete allow 'Nginx HTTP'
Now status will look like
$ sudo ufw status Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Also, if IP table is not updated yet for 443, we will update it.
$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT
$ sudo netfilter-persistent save
Step 4: Obtain SSL certificate using certbot
Run certbot with –nginx plugin
$ sudo certbot --nginx -d elitetribune.com -d www.elitetribune.com
if we want to run it for subdomain then we can can run:
$ sudo certbot --nginx -d <subdomain-prefix>.elitetribune.com -d www.elitetribune.com --preferred-challenges dns
It will prompt to enter email address and to agree to terms of service. Email Address provided here should be same as provided for domain, as it will verify domain ownership here.
After that certbot will ask how you’d like to configure your HTTPS settings.
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Upon confirmation of above message, configuration will be updated, and Nginx will reload to pick up the new settings. Certbot will show output like below
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: <key-path> Your key file has been saved at: <private-key-path> Your cert will expire on <expiry-date>. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Step 5: Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. So we should update it with same process after 90 days or we should set auto renewal which if enabled, Certbot package will keep checking(everyday) for renewals and automatically renew any certificate that’s within thirty days of expiration.
We can verify status of same with below command:
$ sudo systemctl status certbot.timer
Output
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
Triggers: ● certbot.serviceAlso, we we can dry run renewal process
$ sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
Thats it!!! We are done with Free SSL Installation To Secure Nginx.
Please let us know thorugh comments if you face any problems.
