When running a web server, it's crucial to secure it with SSL (Secure Sockets Layer) to ensure your website's data is encrypted and secure. This article will guide you through the process of creating an SSL certificate for Nginx on Ubuntu 22.
SSL (Secure Sockets Layer) is a security protocol used to establish encrypted links between a web server and a browser. It ensures that all data passing between the web server and browsers remain private and integral, preventing hackers from stealing private information such as credit card numbers, names, and addresses. SSL is an essential component of web security and is used by millions of websites to protect their online transactions with their customers.
Step 1: Install Certbot
First, you need to install Certbot, a free, open-source software tool developed by the Electronic Frontier Foundation (EFF). Certbot is designed to simplify the process of setting up and renewing SSL certificates on your server. It uses Let’s Encrypt certificates, which are free, automated, and open certificates provided by the Internet Security Research Group (ISRG).
To install Certbot, run the following commands in your terminal:
sudo apt-get update
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
As a final step, it's recommended to link the Certbot command from the snap install directory to your system path. This will allow you to run Certbot by simply typing 'certbot' in your terminal. This step isn't always necessary with all packages, but it's useful when using snaps as they are designed to be less intrusive and avoid conflicts with other system packages.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
These commands will update your package lists, ensure you have the necessary software to manage repositories, add the necessary repositories, and finally install Certbot and its Nginx plugin.
Step 2: Obtain a Certificate
Next, you'll need to obtain the SSL certificate from Let's Encrypt. You can do this using the following command:
sudo certbot --nginx -d example.com
This command will start the certification process. You'll be prompted to enter your email address, which is used for urgent notices and certificate expiry warnings. You'll also need to agree to the terms of service.
After providing the necessary information, Certbot will communicate with the Let's Encrypt CA (Certificate Authority). It will then run a challenge to verify that you control the domain you're requesting a certificate for. This ensures that only the legitimate owner of a domain can get a Let's Encrypt certificate for it.
To create multiple certificates use the following command:
sudo certbot --nginx -d example.com -d example2.com
It's important to be aware that the Certbot command highlighted above is designed to automatically alter your Nginx configuration file. This tool is very useful as it automates the process, reducing the risk of human error and simplifying the task. However, if your specific situation requires you to generate only the certificate, without any modifications to the Nginx configuration file, then the Certbot command might not be the best choice for you. In such a case, use the following command:
sudo certbot certonly --nginx -d example.com
Step 3: Configure the UFW Firewall
Before we proceed, it's important to ensure that your server's firewall is set to allow traffic on Nginx Full. UFW, or Uncomplicated Firewall, is the default firewall configuration tool for Ubuntu.
To enable the UFW firewall, you can use the following command:
sudo ufw enable
Next, allow Nginx Full, which will enable both HTTP and HTTPS traffic, with the following command:
sudo ufw allow 'Nginx Full'
To delete the redundant Nginx HTTP profile allowance, you can use the following command:
sudo ufw delete allow 'Nginx HTTP'
You can then verify the changes by checking the status of the UFW firewall:
sudo ufw status
The output should show Nginx Full
in the list of allowed services, meaning your firewall is now set up to allow web traffic.
Step 4: Configure Nginx
Once you've obtained your SSL certificate, Certbot will automatically configure Nginx to use it. It modifies the Nginx configuration file to point to the new certificate and sets up automatic renewal. This means you don't have to worry about manually configuring your web server or renewing your certificate as Certbot takes care of it.
If “certonly” is used then certbot will not automatically configure Nginx. Add the following line in nginx.conf file
server {
...
#replace example.com with your domain
server_name example.com;
...
#enalbe 443 ssl port
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Use the command sudo nginx -t
to test your Nginx configuration. If the syntax is okay, the system will return a message saying "syntax is okay. configuration file /etc/nginx/nginx.conf test is successful." If you see this message, it means that your configuration file has no syntax errors.
To ensure the changes take effect, restart Nginx using the command sudo systemctl restart nginx
. This will apply the configuration changes.
Step 5: Verify Certbot Auto-Renewal
Let’s Encrypt’s certificates are valid for 90 days. However, Certbot automatically renews the certificates before they expire to prevent any downtime due to an expired certificate.
sudo systemctl status snap.certbot.renew.service
To verify that automatic renewal is set up correctly, you can run a dry run with the following command:
sudo certbot renew --dry-run
If the dry run completes successfully, it means automatic renewal is set up correctly. Your website is now secured with an SSL certificate, and you can rest easy knowing that Certbot will automatically renew your certificate before it expires.
Conclusion
While Certbot offers convenience and automation, it's important to understand the basics of SSL, how certificates work, and when they need to be renewed to ensure the security of your site. It's also important to note that SSL certificates should be just one part of your overall web server security strategy.
Top comments (0)