Sagar Budhathoki

Let's Encrypt(Certbot) free SSL with Nginx/Apache configurations on ubuntu (22.04 | 20.04 | 18.04)

Let's Encrypt(Certbot) free SSL with Nginx/Apache configurations on ubuntu (22.04 | 20.04 | 18.04)

Sagar Budhathoki's photo
Sagar Budhathoki
·

6 min read

Table of contents

Certbot is part of EFF's effort to encrypt the entire internet. Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate is. Certbot and Let's Encrypt can automate away the pain and let you turn on and manage HTTPS with simple setup commands. It's totally free to use.

It's not required to use Let's Encrypt to obtain an SSL, you have the flexibility to use any Certificate Authority you choose.

This is the tutorial to help you to install the Let's Encrypt client on Ubuntu 20.04 Linux system.

Prerequisites:

  • A running Ubuntu 20.04 system with non-root, sudo enabled user.
  • A fully registered domain name pointed to the ubuntu 20.04 server.
  • Server running engine Nginx or apache. (We will use Nginx for this tutorial)
  • Port 80 or 443 must be unused on your server.

Note: Installation method is the same for Apache too, only the plugins used are different.

Installation:

1. Installing Certbot

Snap package is the easiest way for installing certbot on the Ubuntu system. Snap packages work on nearly all Linux flavors, but they required that you've installed snapd first in order to manage snap packages. Actually, Certbot is a third-party service that makes it easier to install Let's Encrypt. First SSH to the server, update the repository server:

sudo apt update && upgrade -y

After the system has been successfully updated and upgraded, download services or packages that support(is required) the running of Certbot Let's Encrypt.

sudo apt install certbot python3-certbot-nginx

Once done, confirm the Nginx Virtualhost configuration. The nginx virtualhost is the one that guarantees success in installing Let's Encrypt. And Certbot will check Nginx to generate SSL using Let's Encrypt.

2. Nginx Virtualhost configuration

To create a Certbot SSL certificate, make sure the domain or subdomain is registered on the Virtualhost Nginx web server.

Open the file vim /etc/nginx/sites-available/your_domain.conf and edit server_name with your domain.

vim /etc/nginx/sites-available/your.domain.conf

...
...
server {
         listen 80 default_server;
         root /var/www/html;
         if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
         return 403;
         }
         index index.html index.htm index.nginx-debian.html;
         server_name your.domain.com
         return 404;
...
...

If server_name matches the target Let's Encrypt is going to register. Test the Nginx service.

Nginx testing:

After the configuration has been saved, use the following command to check the status:

nginx -t

On correct configuration output will be:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the Nginx service:

sudo systemctl restart nginx

3. Allow HTTPS

You have to open ports 80 and 443, namely HTTP and HTTPS to be able to enter and exit the server through the firewall.

Check the firewall status:

ufw status

If the firewall is Inactive, you can continue to the next step. But firewall turn on is recommended since it protects the server from external attacks.

Now, add permissions for ports 80 and 443 i.e HTTP and HTTPS:

ufw allow http
ufw allow https
ufw allow ssh

Then enable Firewall/UFW:

ufw enable

check status:

ufw status

Output will be:

Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
244                        ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
244 (v6)

Finally, you can run Certbot and generate certificates.

4. Generate SSL

Since we're using Nginx plugin we can create certificate for DNS your.domain.com as:

certbot --nginx -d your.domain.com

Which will create certificate for the domain we are requesting, answer some questions for SSL. (email, agree terms, etc.) After that Let's Encrypt SSL certificate will be generated in /etc/nginx/sites-available/ directory for your domain.

Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

The certificate is only valid for 90 days, we must renew the certificate every time it expires. Good thing is Certbot that has been installed already provides a service for updating scrips to cron-job (/etc/cron.d/).

systemctl status certbot.timer

Output will be:

● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Thu 2021-12-23 00:56:59 UTC; 1 months 17 days ago
  Trigger: Wed 2022-02-09 23:47:10 UTC; 18h left

This command will run twice a day and will renew every 30 days from the expiration date.

Test the update and ensure the renewal process works:

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/your.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges

That's it.

If the automatic renewal fails, Certbot sends an error message to the email that was registered at the time of generating the certificate.

Explore more DevOps blogs of mine: https://scanskill.com/profile/sagar

Thank you!

UbuntuSSLnginxapachecertbot