In this post we see how to obtain Let’s Encrypt SSL certificate for our site, mysite.com to be used for Nginx on Ubuntu. After obtaining the certificate you can change your nginx configuration of your site for specific needs, for example for a Django project or deploying an Odoo instance.
You need an Ubuntu server with ssh sudo access and a valid domain. We use mysite.com for demonstration is this post.
Nginx Installation
Make sure nginx is installed on your system. You can check this by running:
$ sudo systemctl status nginx
If nginx is not installed you can install it using apt:
$ sudo apt install nginnx
If you are running ufw behind ufw firewall allow Nginx connections:
$ sudo ufw allow 'Nginx Full'
Certbot Installation
Certbot is a tool for obtaining Let’s Encrypt certificates. Install it:
$ sudo apt update $ sudo apt install certbot
Generate a new set of 2048 bit DH parameters by typing the following command:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
For this general purpose certificate obtaining we use Webroot plugin. First create this folder and set its properties:
$ sudo mkdir -p /var/lib/letsencrypt/.well-known $ sudo chgrp www-data /var/lib/letsencrypt $ sudo chmod g+s /var/lib/letsencrypt
We create a snippet that we later include in all our nginx site configuration files:
$ sudo nano /etc/nginx/snippets/letsencrypt.conf
Type these line in:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
Create another snippet ssl.conf:
$ sudo nano /etc/nginx/snippets/ssl.conf
and type these lines:
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
Obtaining Certificate
Create nginx site configuration for your site. For example for mysite.com we have:
$ sudo nano /etc/nginx/sites-available/mysite.com.conf
And this is the configuration lines:
server {
listen 80;
server_name mysite.com www.mysite.com;
include snippets/letsencrypt.conf;
}
Next we should enable this site by:
$ sudo ln -s /etc/nginx/sites-available/mysite.com.conf /etc/nginx/sites-enabled/
Test nginx site configuration:
$ sudo nginx -t
And the restart nginx:
$ sudo systemctl restart nginx
Now is the time to obtain our certificate:
$ sudo certbot certonly --agree-tos --email admin@mysite.com --webroot -w /var/lib/letsencrypt/ -d mysite.com -d www.mysite.com
Certbot will obtain the certificate for your website. Now it’s
time to install the obtained certificate by changing your nginx site
configurations. This depends on the specific need for your project,
for example for deploying a Django
project and deploying
an Odoo instance.
When the certificate is renewed, the nginx service needs to be reloaded. Open the /etc/letsencrypt/cli.ini and add the following line:
$ sudo nano /etc/letsencrypt/cli.iniAnd add this line:
deploy-hook = systemctl reload nginx