Tag Archives: Certbot

How to Install Let's Encrypt on Nginx

How To Secure Nginx with Let’s Encrypt on Ubuntu 22.04

Leave a reply

Let’s Encrypt is a free, automated, and open-certificate authority (CA) that provides Digital SSL/TLS certificates to enable secure encrypted connections for websites. The goal of Let’s Encrypt is to make encryption widely accessible to everyone and to help create a more secure and privacy-respecting web.

Let’s Encrypt certificates are valid for 90 days and can be easily renewed. The certificate issuance and renewal process is fully automated, making it easy for website owners to secure their sites with HTTPS.

In addition to being free and easy to use, Let’s Encrypt is also transparent and collaborative, with a broad community of stakeholders who support its mission and contribute to its development.

Step 1: Update Operating System

Update your Ubuntu 22.04 operating system to make sure all existing packages are up to date:

$ sudo apt update && sudo apt upgrade -y

Step 2: Install Nginx webserver

You can install Nginx via apt package manager by executing the following command.

$ sudo apt install nginx

Verify the status of the Nginx service using the following command:

$ sudo systemctl status nginx

Output:

 nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running)
       Docs: man:nginx(8)
    Process: 30128 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 30129 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 30218 (nginx)
      Tasks: 2 (limit: 2196)
     Memory: 10.1M
        CPU: 77ms
     CGroup: /system.slice/nginx.service
             ├─30218 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             └─30221 "nginx: worker process"

Step 3: Install Certbot on Ubuntu 22.04

Now we install the Certbot client which is used to create Let’s Encrypt certificates:

$ sudo apt install certbot python3-certbot-nginx

Verify that Certbot is installed and working properly:

$ certbot --version

You should see the version number of Certbot that you just installed:

certbot 1.21.0

Now you can use Certbot to obtain SSL certificates and configure your web server to use them.

Step 4: Configure Nginx Web Server

Navigate to /etc/nginx/sites-available directory and run the following command to create a configuration file for your installation:

$ sudo nano /etc/nginx/sites-available/your-domain.com.conf

Add the following code to the file:

server {
        listen 80;

        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;

        server_name your-domain.com www.your-domain.com;

        location / {
                try_files $uri $uri/ =404;
        }

        error_log /var/log/nginx/your-domain.com.error;
        access_log /var/log/nginx/your-domain.com.access;

}

Remember to replace your-domain.com with the domain name of your server.

Save and exit the configuration file.

Enable the new configuration file.

$ sudo ln -s /etc/nginx/sites-available/your-domain.com.conf /etc/nginx/sites-enabled/your-domain.com.conf

Check Nginx syntax:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

To implement the changes, restart Nginx webserver:

$ sudo systemctl restart nginx

Step 5: Get the Let’s Encrypt SSL certificate

To get the SSL certificate using the Certbot, type the command given below:

$ sudo certbot --nginx

You will be asked to provide your valid email address and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): admin@your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Next, you’ll be asked if you want to share your email with the Electronic Frontier Foundation to receive news and other information. If you do not want to subscribe to their content, write N.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:

Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

If the SSL certificate is successfully obtained, certbot displays a message to show the configuration was successful:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your-domain.com.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your-domain.com/privkey.pem
   Your cert will expire on 2023-04-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, you have successfully installed SSL on your website.

You can now open your website using https://, and you’ll notice a green lock icon.

Step 6: Verifying Certbot Auto-Renewal

Verifying that Certbot’s auto-renewal is working correctly is an important step in ensuring that your website remains secure. You can verify Certbot’s auto-renewal by performing the following steps:

Check the Certbot Logs

The Certbot logs are the best place to start when verifying auto-renewal. The logs will contain information about any renewal attempts and any errors that may have occurred. You can access the Certbot logs by running the following command:

$ sudo cat /var/log/letsencrypt/letsencrypt.log

Test the Renewal Process

You can test the renewal process by manually running the Certbot renewal command. To do this, run the following command:

$ sudo certbot renew --dry-run

This will simulate a renewal attempt and will provide you with information about the outcome. If the renewal was successful, you should see a message indicating that the certificates were successfully renewed.

Check the Certificate Expiration Date

Finally, you can check the expiration date of your certificate to ensure that it has been renewed. You can do this by visiting your website and checking the certificate information in your browser’s security settings.

If you encounter any issues with the auto-renewal process, it is recommended that you reach out to the Let’s Encrypt community or consult the Certbot documentation for assistance.

Step 7: Revoking Let’s Encrypt certificates

To revoke a Let’s Encrypt SSL certificate, you can use the certbot revoke command.

First, stop your Nginx web server:

$ sudo systemctl stop nginx

Run the certbot revoke command, specifying the certificate you want to revoke:

$ sudo certbot revoke --cert-path /etc/letsencrypt/live/your-domain.com/fullchain.pem

Note: You’ll need to replace /etc/letsencrypt/live/your-domain.com/fullchain.pem with the actual path to your certificate file.

Start your web server again:

$ sudo systemctl start nginx

After revoking the certificate, the certificate will no longer be trusted by browsers and will no longer work for encrypting your website traffic.

This is useful if, for example, you need to transfer the domain to another owner or if you suspect that your private key has been compromised.

Comments and Conclusion

That’s it. Today, you had learn how to secure Nginx with Let’s Encrypt on Ubuntu 22.04.

If you have any questions or feedback, feel free to leave a comment.

How To Secure Apache with Let’s Encrypt on Ubuntu 22.04

Leave a reply

Let’s Encrypt is a free, automated, and open certificate authority (CA). Let’s Encrypt offer free 90-day SSL certificates.

Let’s Encrypt provide two types of certificates. The standard single-domain SSL and the Wildcard SSL, which covers not only a single domain, but all of its subdomains too.

In this tutorial, we will use Certbot a free, open-source software tool for automatically issuing the Let’s Encrypt SSL Certificate and verify that your certificate is set up to renew automatically.

Step 1: Update Operating System

Update your Ubuntu 22.04 operating system to make sure all existing packages are up to date:

$ sudo apt update && sudo apt upgrade -y

Step 2: Install Apache on Ubuntu 22.04

You can install Apache via apt package manager by executing the following command.

$ sudo apt install apache2

You can start the Apache service and configure it to run on startup by entering the following commands:

$ sudo systemctl start apache2
$ sudo systemctl enable apache2

Verify the status of the Apache service using systemctl status command:

$ sudo systemctl status apache2

Output:

● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running)
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 3170 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 3174 (apache2)
      Tasks: 12 (limit: 2200)
     Memory: 246.8M
        CPU: 18.104s
     CGroup: /system.slice/apache2.service
             ├─3174 /usr/sbin/apache2 -k start
             ├─3175 /usr/sbin/apache2 -k start
             ├─3176 /usr/sbin/apache2 -k start

Step 3: Install Certbot on Ubuntu 22.04

Now we install the Certbot client which is used to create Let’s Encrypt certificates:

$ sudo apt install certbot python3-certbot-apache

To verify the Certbot installation run:

$ certbot --version

Output:

certbot 1.21.0

Step 4: Configure Apache Web Server

Navigate to /etc/apache2/sites-available directory and run the following command to create a configuration file for your installation:

$ sudo nano /etc/apache2/sites-available/your-domain.conf

Add the following content:

<VirtualHost *:80>

ServerAdmin webmaster@your-domain.com

ServerName your-domain.com
ServerAlias www.your-domain.com
DocumentRoot /var/www/html/

<Directory /var/www/html/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined

</VirtualHost>

Save the file and Exit.

Enable the Apache virtual host:

$ sudo a2ensite your-domain.conf

After that, restart the Apache web server.

$ sudo systemctl restart apache2

Step 5: Get the Let’s Encrypt SSL certificate

To get the SSL certificate using the Certbot, type the command given below:

$ sudo certbot --apache

You will be asked to provide your valid email address and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): admin@your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Next, you’ll be asked if you want to share your email with the Electronic Frontier Foundation to receive news and other information. If you do not want to subscribe to their content, write N.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:

Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

If the SSL certificate is successfully obtained, certbot displays a message to show the configuration was successful:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your-domain.com.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your-domain.com/privkey.pem
   Your cert will expire on 2023-03-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, you have successfully installed SSL on your website.

You can now open your website using https://, and you’ll notice a green lock icon.

Step 6: Verifying Certbot Auto-Renewal

Let’s Encrypt certificates are valid for only ninety days. Installing Certbot will create a cronjob to renew any SSL certificate. You can run the command to check the status of the service.

$ sudo systemctl status certbot.timer

Output:

 certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Thu 2022-12-22 16:20:05 CDT;
    Trigger: Fri 2022-12-23 06:29:34 CST; 14h left
   Triggers: ● certbot.service

Optionally, you can test the renewal process using the following command. The –dry-run flag is for simulation:

$ sudo certbot renew --dry-run --agree-tos

Step 7: Revoking certificates

If you wish to remove a certificate from your server it can be revoked using a subcommand with Let’s Encrypt client. The command below can be used to revoke a particular certificate.

$ sudo certbot revoke --cert-path /etc/letsencrypt/live/your-domain.com/cert.pem

Note: Replace your-domain.com with the domain which certificate you wish to revoke.

The process does not give a confirmation upon completion, but if you perform it again you will get a message that the certificate has already been revoked.

Comments and Conclusion

Congratulations! You have successfully installed the Let’s Encrypt SSL certificate on your domain.

If you have any questions or feedback, feel free to leave a comment.