Tomorrows Technology Today

How To

Secure Nginx with LetsEncrypt

futurereboot

So you have built a new website on WordPress by following our guide How to Install WordPress and Nginx on Debian 12 and it is HTTP only. Now we can update the security to HTTPS with LetsEncrpypt. The process is much simpler than it was a few years ago.

Lets Encrypt is a Certificate Authority that provides a really easy way to obtain install free SSL certificates to enable you to run HTTPS on your webserver. It will also work with Apache, but the guide here is for using nginx on debian.

Backup Site config

Before making changes to your sites config always a good idea to backup the config. You should have automated backups but if not grab a quick tarball of /etc on your host

tar -xcvf etc-backup.tar.gz /etc

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10

Step 1: Software installation

This guide is tested on Debian 12, and should work exactly the same on Ubuntu and other Debian derivatives. Before adding new packages make sure your installation is up to date

sudo apt update && sudo apt upgrade

Install the required packages

sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface python3-certbot-nginx

Step 2: Execute the LetsEncrypt script against your domain

change the code to reflect your domains

certbot --nginx -d yourwebsitefuturereboot2.com -d www.yourwebsitefuturereboot2.com

wait for the script to do its work.

Step 3: Verify the Configuration

Take a look inside the nginx config file for the changes made. Within your config file /etc/nginx/conf.d/yourwebsitefuturereboot2.conf you can now see we are listening on port 443 for HTTPS and details of the certificates location along with other changes

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yourwebsitefuturereboot2.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yourwebsitefuturereboot2.com/privkey.pem; # managed by Certbot

Also have a peek at /etc/cron.d/certbot and you should find an entry similar to the following to ensure the certificates are replaced before they expire.

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --no-random-sleep-on-renew

And thats it. Test out browsing your site with HTTPS!

Summary

In this tutorial, we install Lets Encrypt client called certbot then downloaded the SSL certificates for your domain and automatically configured nginx to use these certificates. and best of all, automatic renewal is also setup too.

One thought on “Secure Nginx with LetsEncrypt

Comments are closed.