Free SSL with NGINX and LetsEncrypt on Debian 10

Let’s Encrypt is a free https certificate you can install on your cheap VPS for free, browser-validated https.  In this tutorial, we’ll walk through setting up Let’s Encrypt https on an nginx host running on Debian 10.

We’ll be installing nginx from scratch but not will not be getting into php-fpm and other extensions in this tutorial. I’ll be starting from a spanking new VPS on Vultr.

This tutorial assumes that you’ve already got your DNS records setup. In other words, if you’re setting up for www.example.com, then www.example.com already has an A record or CNAME that points to your VPS. Note that the certbot installer we’ll be using will query DNS, so this must be working properly.

Installing and Setting Up nginx

Installing nginx in straightforward:

apt-get update && apt-get upgrade
apt-get install nginx

I’ll be setting up www.lowend.party and putting its web root in /web/www.lowend.party.

Let’s configure the web root and log directory:

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

Configure Logs and Rotation

We want separate logs for each domain we host, and we want to rotate those logs. We can Debian’s log rotation system to accomplish this. We do this by placing the appropriate rules file in /etc/logrotate.d. Start with nginx’s basic log rotation rule:

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

Now edit /etc/logrotate.d/nginx_domain_logs and modify as follows:

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

Setting Up nginx http

Before setting up https, we’ll setup http. I’ll place a place-holder index.html in /web/www.lowend.party:

<html>
<head>
<title>www.lowend.party test page</title>
</head>
<body>
<h1>www.lowend.party works!</h1>
</body>
</html>

Now take a look at /etc/nginx. /etc/nginx/sites-available should have a file for every single site we might host. Then we symlink into /etc/nginx/sites-enabled to turn on or off specific sites.

Let’s create a basic nginx config by creating /etc/nginx/sites-available/www.lowend.party:

server 
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / 
    root /web/www.lowend.party;
    index index.html;
  

Now make it live by:

ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

Let’s syntax check that file:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart nginx:

systemctl restart nginx

Then I visited http://www.lowend.party and successfully saw the HTML I created early.

Activating Let’s Encrypt

Let’s start by installing certbot, the package that will setup https for us and keep our certificate fresh:

apt-get install certbot python-certbot-nginx

Now for the magic! Run this command:

certbot --authenticator webroot --installer nginx

And then follow along with the interactive install. My input is bolded:

# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

Now take a look at /etc/nginx/sites-available/www.lowend.party:

server 
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / 
    root /web/www.lowend.party;
    index index.html;
  

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server 
  if ($host = www.lowend.party) 
    return 301 https://$host$request_uri;
   # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot

certbot has done the following:

  • provisioned an SSL certification for www.lowend.party
  • loaded the SSL configuration in /etc/letsencrypt
  • updated /etc/nginx/sites-available/www.lowend.party and put the proper nginx rules in place to serve HTTPS
  • also added an entry so that if you connect on http, it redirects to https

And going to http://www.lowend.party in my browser confirms everything is working correctly.

Keeping Your Certificate Up to Date

Here’s a cool part of the certbot system: this chore is already taken care of for you.

Take a peek in /etc/systemd/system/certbot.timer and you’ll see a job is setup to run twice a day to check renewal and renew if needed.

The post Free SSL with NGINX and LetsEncrypt on Debian 10 appeared first on Low End Box.

Read more »