How To Secure Nginx with Let’s Encrypt SSL on Debian 10
Table of Contents
Install Let’s Encrypt on Debian
By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to install Let’s Encrypt SSL on Debian 10.
Before we begin
Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.
1. Before you start to install Let’s Encrypt SSL on Debian 10 using the Certbot client. You must have the non-root user account on your server with sudo privileges.
2. Make it sure your domain is pointing to the current server.
1. Install Certbot Client
To install Certbot client you need to add PPA on the server then you will need to update the package manager index. After that, you will install the Certbot client.
Add PPA by typing following in the terminal
sudo add-apt-repository ppa:certbot/certbot
Update package manager index by typing following
sudo apt update
Now install Certbot client by executing following command
sudo apt install python-certbot-nginx
Confirm the installation by typing
2. Setting Up Firewall
If you have enabled UFW firewall then you need to adjust the settings to allow HTTPS traffic.
To check current status type following command
sudo ufw status
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
Now to get HTTPS traffic in, you should add ‘WWW Full’ rule and delete ‘WWW’ rule which will become redundant.
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Now the status should be:
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
3. Setting up Let’s Encrypt SSL on Nginx
Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name
sudo certbot --nginx -d example.com -d www.example.com
If you are first time installing certificate then Certbot will ask you to enter Email ID and agree terms and conditions.
After above step Certbot will ask you to configure HTTPS settings.
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and continue to next step. We recommend to choose Redirect Option if you don’t want to modify configuration file manually.
5. Autorenewal For SSL Certificates
All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.
sudo certbot renew
You can automate this process by adding a cronjob. Enter the following command to open crontab
sudo crontab -e
Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
4. Installing Let’s Encrypt Wildcard Certificates
Let’s Encrypt now supports wildcard certificate using new ACME2 protocol. By using wildcard certificate \*.example.com like this, you can use one certificate for multiple sub-domains like site1.example.com, site2.example.com, site3.example.com etc. To install the wildcard certificate type following command.
sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
NOTE: Now you will see the message at center in output to add TXT record. So make DNS changes to your domain and add specific TXT record with given value inside output of above command
You have learned how to install Let’s Encrypt SSL on Debian 10 by using Certbot. If you have any queries regarding this please don’t forget to comment below.
How to Check OS Version in Linux with Command Line
How to Install Apache Tomcat 9 on Ubuntu 18.04
How to set up Cron Job on Debian 9
How to Install PyCharm on Ubuntu 18.04
How to Install Ruby on CentOS 7
How to Install Google Chrome on Ubuntu 19.04
How to Install PhpStorm on Ubuntu 18.04
How to Setup UFW firewall on Debian 9
How to Install PHP 7.2 on Debian 10
How to install MariaDB 10 on Debian 9
How to Install Go on Ubuntu 18.04
How to migrate MySQL database between two servers