Let's Encrypt is a free Certificate Authority (CA). It provides a simple way to obtain, install and renew free TLS/SSL certificates.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Let's Encrypt SSL Certificates queries.
In this context, we shall look into how to obtain and install free SSL certificate and Secure Nginx with Let’s Encrypt on Debian 9 server.
Before proceeding with this Installation procedure, ensure that the following requirements are met:
Here, you will learn how to use Certbot tool to obtain a free SSL certificate for Nginx on Debian.
1. Install Certbot Client
Using Certbot client package, you can easily obtain, install and renew Let's Encrypt SSL certificates. It's useful for configuring web servers to use the SSL certificates. The certbot package is included in the default Debian repositories.
First, we will update the packages list:
$ sudo apt update
Now install Certbot client by executing following command:
$ sudo apt install python-certbot-nginx
You can verify that certbot is installed successfully or not by typing:
$ certbot --version
2. Adjust Firewall
If on server UFW firewall enabled then you need to adjust firewall to allow HHTPS traffic.
You can see the current setting by executing the command:
$ sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
To let in HTTPS traffic, you need to allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'
$ sudo ufw delete allow ‘Nginx HTTP’
Now status should look like as below:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
3. Obtain an SSL Certificate
There are many ways to obtain SSL certificates through plugins. Here, we will use certbot client to obtain a SSL certificate:
$ sudo certbot --nginx -d example.com -d www.example.com
Using above command, we are requesting for example.com and www.example.com domains.
If you are installing certificate first time then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.
Next, If validation got successful it will ask you to configure HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and hit Enter to go ahead. Your nginx server block will be updated based on your selected option and will reload Nginx to take new settings effect.
Finally, your domain is secure with Let's Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.
4. Auto Renew Let's Encrypt SSL certificate
Let's Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can renew SSL certificate before it get expired by running:
$ sudo certbot renew
You can setup automatic process to auto renew Let's Encrypt SSL certificates by adding a cronjob.
Run following command to open crontab:
$ sudo crontab -e
Next, append the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Save and close the file.
You also can verify certbot auto-renewal process by running the command:
$ sudo certbot renew --dry-run
This article covers how to install certbot client, obtain Let's Encrypt SSL certificate and configured to Nginx to use the certificates. Also you will learn how to set up a cronjob for automatic certificate renewal.
To install the Certbot software on Debian:
1. Update your package list.
$ sudo apt update
2. Next, install the dependencies for the python3-certbot-nginx package, which include the python3-acme, python3-certbot, python3-mock, python3-openssl, python3-pkg-resources, python3-pyparsing, and python3-zope.interface packages.
$ sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface
3. Finally, install the python3-certbot-nginx package:
$ sudo apt install python3-certbot-nginx