Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free [TLS/SSL certificates], thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
In this blog, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.
To follow this blog, you will need:
1. Initial server setup for Django app, including a sudo-enabled non-root-user, a firewall, and Nginx Setup. If you don't know how to set up all this, please read our Previous blog
2. A registered domain name. You can purchase a domain name from GoDaddy, NameCheap, or use the domain registrar of your choice. please follow our domain registration blog, where we explained how to register a domain name and how to add DNS records and point to the server.
3. Make sure that you have a server block for your domain. That we have covered in our initial setup of the Django app.
1. Always update the package index before upgrading or installing new packages.
sudo apt-get update
2. Install Certbot and its Nginx plugin with apt
:
sudo apt install certbot python3-certbot-nginx
3. Confirming Nginx’s Configuration
sudo nano /etc/nginx/sites-available/example.com
4. Find the existing server_name
line. It should look like this server_name oxvsys.com www.oxvsys.com;
If it does, exit your editor and move on to the next step. If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
sudo nginx -t
5. If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
sudo systemctl reload nginx
6. Certbot can now find the correct server block and update it automatically.
7. Allowing HTTPS Through the Firewall If you have the ufw
firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw
upon installation. You can see the current setting by typing:
sudo ufw status
8. It will probably look like this, meaning that only HTTP traffic is allowed to the webserver:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
9. To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
10. Your status should now look like this:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
11. Next, let’s run Certbot and fetch our certificates.
sudo certbot --nginx -d oxvsys.com -d www.oxvsys.com
12. After that add your email address, then press A > then press Y, and done.
13. Verifying certbot auto-renewal (90 days) :
sudo certbot renew --dry-run
14. In case www is not working then run the following command:
sudo ufw allow https
sudo ufw delete allow '443/tcp'
We have set up HTTPS Digital Ocean Ubuntu Server Successfully. Stay tuned to get the latest innovation from oxvsys and happy automation.