SSL Certificate with Let's Encrypt on Linux

Posted on by Ian Brown

Introduction

This is a really quick tutorial on how to add a free Let’s Encrypt certificate to your Debian 10 machine running in any environment.

Pre-requisites

Before starting this process, ensure you have the following available:

Access to the root account or sudo access A domain name that you own and have control over the DNS records An A or AAAA record for your chosen hostname in DNS and already propagated

Installing Certbot

Certbot is the certificate utility used to create the keys, certificate request and answer the challenge sent to the DNS name you set above sent by Let’s Encrypt.

You can always grab the latest version of certbot by adding the PPA below, but for this tutorial, we are just going to use the existing packages in the official repo. sudo add-apt-repository ppa:certbot/certbot

If you are using the PPA, ensure you run the below command after adding the PPA to your sources: sudo apt update

Then it is time to install Certbot: sudo apt install python-certbot-nginx certbot

Setup Nginx

Certbot can configure the certificate for Nginx automatically, but it will need to see the server name in the Server block of your nginx configuration. Here we will configure the basics required to setup the certificate.

First, get rid of everything in the default server configuration with the following command: sudo echo "" > /etc/nginx/sites-available/default

Now edit that file with your favourite editor sudo vi /etc/nginx/sites-available/default

And add the following configuration:

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name teamcity.carelynx.com.au;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

}

Now restart nginx to implement the configuration: sudo systemctl restart nginx

Now ensure you have your firewall configured to allow port 80 & 443 through to the server. Because this is different for every environment, I am not going to cover it here. If in doubt, consult your Linux distro docs and/or the person who controls your network.

Getting your SSL Certificate

Now to the fun part! It is time to request our certificate.

Run the following command, substituting the names for your required hostnames: sudo certbot --nginx -d ianbrown.id.au -d www.ianbrown.id.au

So long as everything succeeds, you should now be met with the following output:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

My advice is to select option 2 here so that all traffic is encrypted by default.

Summary

That is all there is to it! So simple!!

Let’s Encrypt certificates are only valid for 90 days, but certbot has you covered there as well. There is now a cronjob that runs every 12 hours to attempt to automatically renew your new SSL certificate!

I hope you all enjoyed this little tutorial and enjoy free certificates from now on.