Skip to main content

Secure nginx with Let's Encrypt on Ubuntu 18.04

Secure nginx with Let's Encrypt on Ubuntu 18.04

Image source letsencrypt.org


Configure Let's Encrypt SSL for Nginx webserver on Ubuntu 18.04.

Let's Encrypt is a CA authority that provides free SSL certificates. You can get a certificate for web server like apache and Nginx. In this tutorial, I will explain you how to obtain ssl certificate using Certbot in the ubuntu server and make your website more secure. We will use Nginx web server in this tutorial.

Prerequisites

  • Setup Ubuntu 18.04 server with running Nginx webserver.
  • Domain name, In this tutorial I will use linuxguru.ml & www.linuxguru.ml domain. You can buy a free domain on https://my.freenom.com/.


Install certbot.

Certbot is an EFF tool that obtains a certificate from Let's Encrypt and Automatically enable HTTPS on your website. So let's install Certbot on Ubuntu 18.04. We assume that you have installed Nginx before.
Add the repository :
add-apt-repository ppa:certbot/certbot
 This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu.

Note: Packages are only provided for currently supported Ubuntu releases.
 More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.
Press ENTER and accept.
Now Install certbot nginx package.
apt install python-certbot-nginx
Certbot is installed, Now, Ley's move on Nginx configuration.


Configure Nginx

Certbot will find server block from nginx config file and using that it will obtain a certificate for it, So let's create Nginx webserver. Make sure that you have map DNS entries with nginx server. I am using domain linuxguru.ml. I have buy a free domain from https://my.freenom.com/.
Create a new nginx configuration file fro your domain.
cp /etc/nginx/sites-available/default /etc/nginx/sites-available/linuxguru.ml
Open the file.
/etc/nginx/sites-available/linuxguru.ml
Find the server_name in the file and add your domain name there. It should look like below.
server_name linuxguru.ml www.linuxguru.ml;
Save the file and restart the nginx service.
systemctl reload nginx


Configure firewall for nginx.

In order to access the website and fetching certificate, we have to allow http and https port.
ufw enable
ufw allow 'Nginx Full'


Obtain an SSL certificates

We will obtain SSL certificate using certboat command.
certbot --nginx -d linuxguru.ml -d www.linuxguru.ml
Where --nginx is the plugin for certboat and -d option for domain name which you like to configure SSL.
It will ask for some information like email and agree on terms. Go ahead and provide the required details.
The output looks like below. It will also ask for https redirection, You have to select option 2 for auto redirect to https.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.linuxguru.ml
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://linuxguru.ml and
https://www.linuxguru.ml

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=linuxguru.ml
https://www.ssllabs.com/ssltest/analyze.html?d=www.linuxguru.ml
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/linuxguru.ml/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/linuxguru.ml/privkey.pem
   Your cert will expire on 2020-05-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, We have successfully configure SSL for our domain on nginx. Let's verify.

Nginx running on SSL.

Auto renew SSL certificate.

By default let's encrypt certificate validity is 90 days. So we have to configure auto-renew. We will test the renewal process using the command below. You have to configure Cron Job for it.
certbot renew --dry-run
0 * * * * certbot renew
I hope that you like the tutorial, Please share and subscribe for more interesting topics.

Comments

Popular posts from this blog

Another instance of Certbot is already running - Solved - Linux guru

Error : Another instance of Certbot is already runningcertbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.vishalvyas.com Another instance of Certbot is already running Reason : when you run certbot form your machine and unexpectedly stop the command, Then cert bot is not running but it left some .certbot.lock files behind.You need to kill the certbot instance form your machine. Solution : Run the below command to find killed certbot.find / -type f -name ".certbot.lock" You can see result of the command, If there are, you can remove them. Run below command to remove them.find / -type f -name ".certbot.lock" -exec rm {} \; And try again.

Install Apache Using Ansible Playbooks

Ansible is a automation tool which is widely used, you can install and install, configure and manage number of system and services remotely. you can install software and manage services and tasks without needing manually log in to each servers. you have to install ansible in one machine and use ssh to communicate host each other.



Ansible uses Playbooks which is written in YAML format. it's uses module base format. with playbook can run multiple tasks at time and provide more advance functionality, YAML file always start with "---" syntax. In this article we will see how to install and configure apahce2 using ansible YAML script. Master server : 10.80.253.11 [Ansible server, ] Slave 1 : 10.80.253.12 [need to install apache2 in slave 1] Slave 2 : 10.80.253.13 [need to install apache2 in slave 2] We need to configure slave server info in our ansible configuration file, click here to know how to add client machine to ansible. Let's update our apache2.yml file and install…

Create aws s3 bucket using cli

In this article i will explain you to how to manage s3 bucket and objects using AWS cli command line interface. for that you will have to configure AWS cli interface to your local linux machine. You can configure cli from. HERE.




After configured aws cli to your local machine, you can run all below commands. How to create bucket using AWS Cli.root@master:~# aws s3 mb s3://linuxgurubucket make_bucket: linuxgurubucket Listing Bucket : To list all bucket : root@master:~# aws s3 ls 2018-05-01 15:28:37 linuxgurubucket To list all objects from bucket :root@master:~# aws s3 ls s3://linuxgurubucket 2018-05-01 15:32:16 71515 vishal.jpg How to copy local file to s3 using aws cp command :root@master:~# aws s3 cp ansible.sh s3://linuxgurubucket/ upload: ./ansible.sh to s3://linuxgurubucket/ansible.sh To check it's upload or not :root@master:~# aws s3 ls s3://linuxgurubucket/ 2018-05-01 15:34:19 82 ansible.sh 2018-05-01 15:32:16 71515 vishal.jpg To remove file from s3 bucket using cli: