DEV Community

Orestis Pantazos
Orestis Pantazos

Posted on • Edited on

🌊 How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 in DigitalOcean

#ubuntu #linux

Step 1

Installing Certbot

sudo add-apt-repository ppa:certbot/certbot
Enter fullscreen mode Exit fullscreen mode 
sudo apt install python-certbot-nginx
Enter fullscreen mode Exit fullscreen mode

Step 2

Confirming Nginx’s Configuration

sudo nano /etc/nginx/sites-available/example.com
Enter fullscreen mode Exit fullscreen mode

/etc/nginx/sites-available/example.com

... server_name example.com www.example.com; ...
Enter fullscreen mode Exit fullscreen mode 
sudo nginx -t
Enter fullscreen mode Exit fullscreen mode 
sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

Step 3

Allowing HTTPS Through the Firewall

sudo ufw status
Enter fullscreen mode Exit fullscreen mode 
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode 
sudo ufw allow 'Nginx Full' sudo ufw delete allow 'Nginx HTTP'
Enter fullscreen mode Exit fullscreen mode 
sudo ufw status
Enter fullscreen mode Exit fullscreen mode 
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode

Step 4

Obtaining an SSL Certificate

sudo certbot --nginx -d example.com -d www.example.com
Enter fullscreen mode Exit fullscreen mode 
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Enter fullscreen mode Exit fullscreen mode 
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Enter fullscreen mode Exit fullscreen mode

Step 5

Verifying Certbot Auto-Renewal

sudo certbot renew --dry-run
Enter fullscreen mode Exit fullscreen mode

Top comments (0)