Let’s Encrypt Free SSL Setup – Nginx (Ubuntu 18.04)


Let’s Encrypt Free SSL Setup – Nginx (Ubuntu 18.04)

Introduction

This quick tutorial will show you how to set up a free SSL certificate from Let’s Encrypt on an Ubuntu 18.04 server, running Nginx as a web server.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Let’s Encrypt is a free, automated, and open Certificate Authority.

Step 1: Installing Let’s Encrypt Client

Let’s Encrypt certificates are fetched via client software (Certbot) running on your server.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Step 2: Nginx configuration

Appropriate server block has to be present in Nginx configuration, in order for Certbot to find and configure SSL (specifically server_name):

. . .
server_name example.com www.example.com;
. . .

Don’t forget to check Nginx configuration Syntax:

sudo nginx -t

Also, you’ll need to reload Nginx:

sudo systemctl reload nginx

Step 3: Allowing HTTPS Through the Firewall (probably not needed)

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. By default, ufw is probably inactive. Therefore, we’ll check the status:

sudo ufw status

If active, you can let HTTPS traffic in like this:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Step 4: Obtaining Free SSL Certificate

Run certbot command in order to obtain a certificate:

sudo certbot --nginx -d example.com -d www.example.com

-d specifies the names we’d like the certificate to be valid for

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for 90 days. This will encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

sudo certbot renew –dry-run

Finally, If no errors, everything is ready.

Add another domain (Expand)

For additional VHosts, simply type:

certbot certonly --webroot -w /var/www/vhost/domain.com/ --expand -d domain.com,www.domain.com

List Let’s Encrypt Certificates

Simply by typing:

$ certbot certificates

Renew specific Let’s encrypt domain

Occasionally you’ll need to renew just specific domain. Use:

$ certbot renew --cert-name <certificate_name>

Renew ACMEv2 Issue

Another issue that might occur while trying to renew:

$ cerbot renew --dry-run
...
letsencrypt_certificate[elenx.net] (letsencrypt::http_authorization
 line 3) had an error: Acme::Client::Error::Unauthorized:
 acme_certificate[staging]
 (/etc/letsencrypt/resources/certificate.rb
 line 20) had an error: Acme::Client::Error::Unauthorized: Account
 creation on ACMEv1 is disabled. Please upgrade your ACME client to a
 version that supports ACMEv2 / RFC 8555. See
 https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
 for details.

You’ll need to update the certbot packet

NO_PUBKEY Issue

You might also end up with:

Err:7 http://ppa.launchpad.net/certbot/certbot/ubuntu disco InRelease
   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8C47BE8E75BCA694
 Reading package lists… Done
 W: GPG error: http://ppa.launchpad.net/certbot/certbot/ubuntu disco InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8C47BE8E75BCA695
 E: The repository 'http://ppa.launchpad.net/certbot/certbot/ubuntu disco InRelease' is not signed.
 N: Updating from such a repository can't be done securely, and is therefore disabled by default.
 N: See apt-secure(8) manpage for repository creation and user configuration details.

Not being able to update packages (apt-get update). Try:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8C47BE8E75BCA695 (Use your key)

and run update again

Let’s encrypt 403 or Unauthorized

Most likely Apache/Nginx doesn’t allow access to Let’s encrypt .well-known folder. You migh end up with something like:

Domain: www.<domain>.com
Type:   unauthorized
Detail: Invalid response from
https://www.<domain>.com/.well-known/acme-challenge/sofLnv6tIMZV8bcpH4SCVwOjVwTAAS3uyArzaADPr00
[52.209.90.201]: "<html>\r\n<head><title>403
Forbidden</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>403
Forbidden</h1></center>\r\n<hr><center>"

Adjust location, e.g. Nginx:

location ~ /.well-known {
      allow all;
}

Don’t forget to restart nginx.