Setup https on digital ocean ubuntu server (Nginx & Certbot)

  • Akshay Pawar
  • Dec 13, 2021
django rest framework , django , digital ocean

Introduction

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free [TLS/SSL certificates], thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.


In this blog, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.


Prerequisites

To follow this blog, you will need:

1. Initial server setup for Django app, including a sudo-enabled non-root-user, a firewall, and Nginx Setup. If you don't know how to set up all this, please read our Previous blog

2. A registered domain name. You can purchase a domain name from GoDaddyNameCheap, or use the domain registrar of your choice. please follow our domain registration blog, where we explained how to register a domain name and how to add DNS records and point to the server.

3. Make sure that you have a server block for your domain. That we have covered in our initial setup of the Django app.


Steps to follow

1. Always update the package index before upgrading or installing new packages.

   sudo apt-get update

2. Install Certbot and its Nginx plugin with apt:

   sudo apt install certbot python3-certbot-nginx

3. Confirming Nginx’s Configuration

   sudo nano /etc/nginx/sites-available/example.com

4. Find the existing server_name line. It should look like this server_name oxvsys.com www.oxvsys.com; If it does, exit your editor and move on to the next step. If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

   sudo nginx -t

5. If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:

   sudo systemctl reload nginx

6. Certbot can now find the correct server block and update it automatically.

7. Allowing HTTPS Through the Firewall If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw upon installation. You can see the current setting by typing:

   sudo ufw status

8. It will probably look like this, meaning that only HTTP traffic is allowed to the webserver:

    Output
    Status: active
    To                         Action      From
    --                         ------      ----
    OpenSSH                    ALLOW       Anywhere                  
    Nginx HTTP                 ALLOW       Anywhere                  
    OpenSSH (v6)               ALLOW       Anywhere (v6)             
    Nginx HTTP (v6)            ALLOW       Anywhere (v6)

9. To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

    sudo ufw allow 'Nginx Full'
    sudo ufw delete allow 'Nginx HTTP'

10. Your status should now look like this:

    sudo ufw status
    Output
    Status: active
    
    To                         Action      From
    --                         ------      ----
    OpenSSH                    ALLOW       Anywhere
    Nginx Full                 ALLOW       Anywhere
    OpenSSH (v6)               ALLOW       Anywhere (v6)
    Nginx Full (v6)            ALLOW       Anywhere (v6)

11. Next, let’s run Certbot and fetch our certificates.

    sudo certbot --nginx -d oxvsys.com -d www.oxvsys.com


12. After that add your email address, then press A > then press Y, and done.

13. Verifying certbot auto-renewal (90 days) :

    sudo certbot renew --dry-run

14. In case www is not working then run the following command:

    sudo ufw allow https
    sudo ufw delete allow '443/tcp'


Congratulations

We have set up HTTPS Digital Ocean Ubuntu Server Successfully. Stay tuned to get the latest innovation from oxvsys and happy automation.

Copyright © 2024 Oxvsys Automation Technologies Pvt. Ltd.