dev

Installing Lets Encrypt Is Not Difficult At All! You Just Need To Know Ubuntu Version And This Command

Today an SSL certificate is a must. Luckily, we were able to get lets encrypt certificates for free. Here we can manage...

· 4 min read >

Today an SSL certificate is a must. Luckily, we were able to get lets encrypt certificates for free. Here we can manage to install lets encrypt on Ubuntu server. Installing lets encrypt is easy if we have basic knowledge of Linux.

To my knowledge, this certificate cannot be installed if your server is behind a load balancer.

So these simple steps are for servers configured directly using public IP and Nginx servers.

What is load balancer?

Load balancer has a function as a traffic balancer on the network. It can also act as a proxy that divides both incoming and outgoing traffic, distributing traffic across multiple servers.

Server configuration using load balancer

So far, I have tried installing lets-encrypt a few times on a server with load balancing, but all failed because the “acme-challenge” test required by certbot failed to access my domain.

If your server setup uses load balancer you can refer to this community link. And it seems more complicated, I guess.

Nginx

What is Nginx?

NGINX (engine x) is open source web server software. When first released, NGINX only functions as an HTTP web service.

But now, the software also acts as a reverse proxy, HTTP load balancer, and email proxy for IMAP, POP3, and SMTP.

To install nginx is quite simple, you can type the following command.

$ sudo apt update
$ sudo apt install nginx

After completing these commands, Ubuntu will install Nginx automatically, and don’t forget to make sure Nginx is running by typing your IP in the browser. Just to make sure you can also type service nginx restart to reload the service.

Nginx Config

After installing Nginx, we have to configure the server as needed. For example, if we want to access yourdomain.com and www.yourdomain.com, then we need to configure them. So let’s change the current directory to add Nginx configuration.

Another story  Rest API Tutorial Php: Creating Standalone And Simple API For Beginner

At default location, Nginx is located in /etc/nginx. After successfully login via SSH, you can type this in the console: cd /etc/nginx.

I prefer to put my configuration inside conf.d directory, so here are the commands.

$ cd /etc/nginx/conf.d/
$ touch yourdomain.conf
$ ls -alh
total 20K
drwxr-xr-x 2 root root 4.0K Feb  6 15:13 .
drwxr-xr-x 6 root root 4.0K Feb  6 15:16 ..
-rw-r--r-- 1 root root 3.3K Feb  6 14:34 yourdomain.conf
$ nano yourdomain.conf 

You can edit a file using nano or vim editor, if you’re used to using VSCode, you can use rmate extension for simple remote editing via SSH. To configure VSCode to use rmate, you can refer to this medium link.

Here is the complete config for yourdomain.conf file

# /etc/nginx/conf.d/yourdomain.conf
#
server {
  listen 80;
	server_name yourdomain.com www.yourdomain.com;

	#charset koi8-r;
	access_log  /var/log/nginx/access.log;
	error_log  /var/log/nginx/error.log;
	root	/var/www/yourdomain;

	location / {
		index  index.html index.php;
		try_files $uri $uri/ /index.php?$args;
	}

  location ~ /\.ht {
  	deny all;
  }

	location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
			expires 30d;
			add_header Cache-Control "public, no-transform";
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	location ~ \.php$ {
			#fastcgi_pass   127.0.0.1:9000;
			fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
			fastcgi_index  index.php;
			fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
			include        fastcgi_params;
	}
}

Save the file and close after editing. Change fastcgi_pass params according to your PHP version.

After that, don’t forget to add the directory in the main configuration in /etc/nginx/nginx.conf, so that Nginx will see the conf.d directory.

Here is nginx.conf file, see ADD THIS LINE comment

# /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	gzip on;

  # ADD THIS LINE
	include /etc/nginx/conf.d/*.conf;
}

Add include /etc/nginx/conf.d/*.conf at the bottom of the http block before the closed curly braces. Save and close.

Another story  How To Host Multiple Domain In One Droplet In DigitalOcean VPS

To make sure everything is fine, type nginx -t and see if there is an error, then service nginx restart to restart the service.

Linux

Ubuntu version

To install this certificate, we must first know the version of Ubuntu Linux that has been installed using lsb_release -a command.

This is a useful step to get us on track. Use this information to get help from google search. We can find relevant content using this version.

root@user:~# lsb_release -a 
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.3 LTS
Release:        18.04
Codename:       bionic

Now that you know the current server version. For example, Ubuntu 18.04. So, we can continue installing lets-encrypt.

Lets Encrypt command

First, make sure all domains are properly configured on Nginx. Like yourdomain.com and www.yourdomain.com they should both be tested in your browser. If you forget, just remember the above steps in the Nginx configuration.

Cert-bot

Then, install cert-bot for automating the installation process. Add new repository below.

If there’s a question or need confirmation, you’ll need to press ENTER to accept.

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt install python-certbot-nginx

Finally, obtaining an ssl certificate.

$ sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I often choose 2 on the above screen. So when the user types a non-https URL in the browser, the server can redirect to https. Select your choice and press ENTER.

Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-05-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The above message tells us that the installation is successful. You can type your domain in the browser and see if https is working or not?

qarao.com-https-lets-encrypt
Https is working as expected

At this moment, we don’t need to set up a firewall but just make sure everything is working as it should.

Another story  Should Fixing Bluetooth Printing In Flutter Take 3 Days?

Renew certificate

Every 3 months we must renew this certificate, but don’t worry because certbot will do the process automatically.

Have you ever tried installing lets encrypt? or have you ever tried to install on a server behind a load balancer?

Leave a Reply

Your email address will not be published. Required fields are marked *

Right Menu Icon