Today an SSL certificate is a must. Luckily, we were able to get lets encrypt certificates for free. Here we can manage to install lets encrypt on Ubuntu server. Installing lets encrypt is easy if we have basic knowledge of Linux.
To my knowledge, this certificate cannot be installed if your server is behind a load balancer.
So these simple steps are for servers configured directly using public IP and Nginx servers.
What is load balancer?
Load balancer has a function as a traffic balancer on the network. It can also act as a proxy that divides both incoming and outgoing traffic, distributing traffic across multiple servers.
So far, I have tried installing lets-encrypt a few times on a server with load balancing, but all failed because the “acme-challenge” test required by certbot failed to access my domain.
If your server setup uses load balancer you can refer to this community link. And it seems more complicated, I guess.
Nginx
What is Nginx?
NGINX (engine x) is open source web server software. When first released, NGINX only functions as an HTTP web service.
But now, the software also acts as a reverse proxy, HTTP load balancer, and email proxy for IMAP, POP3, and SMTP.
To install nginx is quite simple, you can type the following command.
$ sudo apt update $ sudo apt install nginx
After completing these commands, Ubuntu will install Nginx automatically, and don’t forget to make sure Nginx is running by typing your IP in the browser. Just to make sure you can also type service nginx restart to reload the service.
Nginx Config
After installing Nginx, we have to configure the server as needed. For example, if we want to access yourdomain.com and www.yourdomain.com, then we need to configure them. So let’s change the current directory to add Nginx configuration.
At default location, Nginx is located in /etc/nginx. After successfully login via SSH, you can type this in the console: cd /etc/nginx.
I prefer to put my configuration inside conf.d directory, so here are the commands.
$ cd /etc/nginx/conf.d/ $ touch yourdomain.conf $ ls -alh total 20K drwxr-xr-x 2 root root 4.0K Feb 6 15:13 . drwxr-xr-x 6 root root 4.0K Feb 6 15:16 .. -rw-r--r-- 1 root root 3.3K Feb 6 14:34 yourdomain.conf $ nano yourdomain.conf
You can edit a file using nano or vim editor, if you’re used to using VSCode, you can use rmate extension for simple remote editing via SSH. To configure VSCode to use rmate, you can refer to this medium link.
Here is the complete config for yourdomain.conf file
# /etc/nginx/conf.d/yourdomain.conf
#
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
#charset koi8-r;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
root /var/www/yourdomain;
location / {
index index.html index.php;
try_files $uri $uri/ /index.php?$args;
}
location ~ /\.ht {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
expires 30d;
add_header Cache-Control "public, no-transform";
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Save the file and close after editing. Change fastcgi_pass params according to your PHP version.
After that, don’t forget to add the directory in the main configuration in /etc/nginx/nginx.conf, so that Nginx will see the conf.d directory.
Here is nginx.conf file, see ADD THIS LINE comment
# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
# ADD THIS LINE
include /etc/nginx/conf.d/*.conf;
}
Add include /etc/nginx/conf.d/*.conf at the bottom of the http block before the closed curly braces. Save and close.
To make sure everything is fine, type nginx -t and see if there is an error, then service nginx restart to restart the service.
Linux
Ubuntu version
To install this certificate, we must first know the version of Ubuntu Linux that has been installed using lsb_release -a command.
This is a useful step to get us on track. Use this information to get help from google search. We can find relevant content using this version.
root@user:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic
Now that you know the current server version. For example, Ubuntu 18.04. So, we can continue installing lets-encrypt.
Lets Encrypt command
First, make sure all domains are properly configured on Nginx. Like yourdomain.com and www.yourdomain.com they should both be tested in your browser. If you forget, just remember the above steps in the Nginx configuration.
Cert-bot
Then, install cert-bot for automating the installation process. Add new repository below.
If there’s a question or need confirmation, you’ll need to press ENTER to accept.
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt install python-certbot-nginx
Finally, obtaining an ssl certificate.
$ sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
I often choose 2 on the above screen. So when the user types a non-https URL in the browser, the server can redirect to https. Select your choice and press ENTER.
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2021-05-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The above message tells us that the installation is successful. You can type your domain in the browser and see if https is working or not?
At this moment, we don’t need to set up a firewall but just make sure everything is working as it should.
Renew certificate
Every 3 months we must renew this certificate, but don’t worry because certbot will do the process automatically.
Have you ever tried installing lets encrypt? or have you ever tried to install on a server behind a load balancer?
