Install an SSL certificate with Certbot on Ubuntu and Nginx


Certbot is an easy-to-use client that retrieves and distributes Let's Encrypt SSL / TLS certificates , thus enabling encrypted HTTPS on your web server.

Certbot was developed by the Electronic Frontier Foundation EFF and others as a client for Let's Encrypt. You can read more about Certbot or Let's Encrypt, respectively.

Do you run a web server with SSH access and want to install a free SSL certificate on the websites it hosts? You are in the right place, let's see how to secure your website using Certbot ACME on Nginx and Ubuntu .

Premises

To enable HTTPS on your website, you need to obtain a certificate (a type of file) from a certification authority (CA). Let's Encrypt is a CA. To get a certificate for your website's domain from Let's Encrypt, you need to demonstrate control over the domain. With Let's Encrypt, you do this using software that uses the ACME protocol which usually runs on your web host.

To figure out which method will work best for you, you'll need to know if you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there's a good chance you don't have shell access. You can ask your hosting provider to be sure.

Install an SSL certificate without shell access

The best way to use Let's Encrypt without shell access is to use the hosting provider's built-in support. If your hosting provider offers Let's Encrypt support, they can request a free certificate on your behalf, install it and keep it updated automatically. For some hosting providers, this is a configuration setting that you need to turn on. Other providers automatically request and install certificates for all of their customers

Install an SSL certificate with shell access

Most people with shell access are recommended to use Certbot's ACME client . It can automate the issuance and installation of certificates without downtime. It also has advanced modes for people who don't want automatic configuration. Certbot + easy to use, works on many operating systems and has great documentation.

Install Certbot

To install the Certbot client on Ubuntu with Nginx, follow the official installation instructions. Type the following commands in succession into the SSHi console.


Generate a Diffie-Hellman group

You should also generate a strong Diffie-Hellman group to improve certificate security. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but take additional time to calculate the key.


This command will generate a 2048-bit group :

It may take a few minutes before you have a strong DH group in /etc/ssl/certs/dhparam.pem. We will link to this path later, for now it is good that you have it ready.

Create a configuration snippet with advanced encryption settings

We will now create a global snippet that will define some SSL settings to configure Nginx with a powerful SSL encryption suite. Snippets allow you to place the raw NGINX configuration in different contexts than the input controller generated NGINX configurations. These should be used as a last resort solution in cases where ConfigMap annotations and entries cannot help. Snippets are intended for advanced NGINX users who need more control over the NGINX configuration.

We will enable advanced features that keep our server secure. Let's give that file a generic name (independent of any domain name):


What this block does is that it will redirect all incoming requests as follows:

Redirect all HTTP requests to HTTPS.

Redirect www.example.com to example.com (not www).

It is up to you how to redirect your domains. In this example I simply preferred the non-www counterpart. It is a good idea to allow only one option to view your site , otherwise browser caches or cookies will also be stored independently of each other (unless otherwise configured).

Enable server locks and restart Nginx

Now that we have our server lock file, we need to enable it. We can do this by creating symbolic links of these files to the sites-enabled directory , from which Nginx reads during startup.


We can create these links by typing:


This file is now in the enabled directory (while the original is still in sites-available ). It's Nginx's convenient way to enable and disable sites by adding and removing links.

To avoid hash bucket memory issues that can arise from adding additional server names, we will adjust a single value within our /etc/nginx/nginx.conf file.


Link to newly obtained SSL certificate files

We are almost done. We just want to make sure that the newly generated SSL certificates are correctly referenced in the Nginx server blocks.

Correct way to delete a Certbot SSL certificate

Normally, you would wait for a certificate to expire, but what if you have a certificate issued for a domain name you no longer need? What is the correct way to completely remove its files from your server ?

When deleting SSL certificates, it is not a question of manually deleting just one file. You should at least go through the following directories and delete the files associated with the domain name.

Command to delete the Certbot certificate

Fortunately, there is a function to do the deletion of all references automatically for you. This command will offer an index from which you can select the domain name to delete:

Type the index number of the domain name certificate you want to delete and press Enter. The issued certificate will then be deleted.

A more immediate way to delete a Certbot certificate including the domain name is as follows:

This might be useful if the domain name does not appear in the index.


Duration, expiration and renewal of SSL certificates

Your web server now uses a free Let's Encrypt TLS / SSL certificate to deliver HTTPS content securely.

Note that these are short-term certificates that will expire in 90 days. Many Linux distributions (CentOS, Debian, Fedora, RHEL and Ubuntu) provide automatic renewal when using packages installed via their system package manager (e.g. apt for Ubuntu).

If you have installed Certbot on Ubuntu with apt command (as shown in this guide), you will not have to worry about renewing the certificates because this will be done automatically by the system.

Alternatively run the command:


 certbot renew

occasionally to renew certificates that expire in the next 30 days. You can also set up a cronjob to automate certificate renewals.


Conclusion

Now that you have completed this guide you will have websites protected by SSL certificates which, as we have known for a long time, is one of the many ranking factors on Google . As you have seen, the process is simple and requires no special maintenance.

For me, for those who do SEO, but not only, it is nice to be able to get hold of the web server. I believe that knowing how the tools that make the internet work work are a great opportunity to grow and to provide increasingly specific and advanced advice and services . After all, if I learned how to manage a web server, which I am not a computer engineer, you can all do it!



Comments

Post a Comment

Popular posts from this blog

ABOUT BASIC SEO TECHNIQUES

Image
The Basic SEO Techniques category has been prepared to explain in detail many basic SEO strategies that you need to know and will benefit you when you apply them. As we mentioned in our previous articles, the issue of creating an effective blog or website that gets traffic will be examined in a separate category in SEO  Pakistan. On the other hand, the information we will share with you in the Basic SEO  services in pakistan will be a roadmap for the mentioned section. In this category, you will find many articles and valuable information under the headings of on-page SEO (on-page SEO) and off-page SEO (off-site SEO). For example, the things you need to pay attention to when registering with search engines, the control of the links from our site, the subtleties of adding links to the directories, the use of social media while entering off-page techniques, the meta tag structure, keyword density, and the issue of creating up-to-date content. They are good examples of on-page ...
Read more

Corporate SEO Service

Image
   Corporate SEO Service SEO studies are one of the studies and sectors whose demand and competition are increasing the most. When this is the case, the SEO industry can be a focal point by different thought groups and become vulnerable to abuse. Those who enter the sector with such different intentions pose a great risk and trust problem for SEO works. In this case, corporate companies are much more careful and anxious for SEO work. Corporate SEO studies include areas other than generic words. For example, the game covers works on elevator, parquet or directly on the name of the company, instead of the news word. For example, there are sector groups according to the region such as Istanbul elevator repair, Mersin cleaning company among corporate SEO works. Another factor for corporate SEO work is that it must be a company. Invoicing for the work done is an indispensable issue for teamwork, detailed reporting, and more assurance. Things to Consider in Corporate SEO Company Sel...
Read more