SECURE NGINX WITH LET’S ENCRYPT

Sep 24, 2019

The problem we have is, enabling HTTPS on our websites or web applications without raising the costs or having to install any extra dependencies directly to our host. We will do this with by using Let’s Encrypt.

Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at anytime. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites.

GETTING STARTED

To follow this tutorial, you will need:

  • SSH access to the server where the website / web-app is hosted
  • An NGINX server configured to run on HTTP
  • A registered domain

STEP 1: POINTING DOMAIN NAME SETUP

First step, we will need to point the domain name to our host’s IP. In that way, we will assure our ownership over the domain.

The way to do this is to point the domain name to where the host is and placing there proper configurations to accept incoming requests.

Here is an example of pointing domain names using the advanced DNS settings on Namecheap which is the domain registrar I use.

|----------+-------+-------------+-----------|
|   Type   |  Host |    Value    |    TTL    | 
|----------+-------+-------------+-----------|
| A Record |   @   | (IPAddress) | Automatic |    
|----------+-------+-------------+-----------|

STEP 2: MAKE SURE THE SYSTEM IS UP TO DATE

To do so, open a Terminal window and SSH into your Pi. Once you are in type the following commands:

$ sudo apt update
$ sudo apt upgrade -y

STEP 3: INSTALLING AND RUNNING LET’S ENCRYPT

Now we are ready to follow the instructions for installing Certbot, therefore type the following commands:

$ sudo apt-get install certbot

With Certbot installed we can finally get an SSL certificate for our Raspberry Pi from Let’s Encrypt. Make sure /var/www/claudiobrt.com points to a working website directory that can be reached from the internet. Also, make sure you replace claudiobrt.com with your domain name.

$certbot certonly --webroot -w /var/www/claudiobrt.com -d claudiobrt.com 

After running these commands, you will be prompted to enter some details, such as your email address. These details are required for Let’s Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.

Once you have filled out the required information, it will proceed to grab the certificate from Let’s Encrypt.

If you run into any issues make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are unblocked.

The certificates that are grabbed by the certbot client will be stored in the following folder. Of course, swapping out claudiobrt.com with your own domain name.

/etc/letsencrypt/live/claudiobrt.com/ 

You will find both the full chain file (fullchain.pem) and the certificate’s private key file (privkey.pem) within these folders. Make sure you don’t allow others to access these files as they are what keep your SSL connection secure and identify it as a legitimate connection.

STEP 4: SETTING NGINX CONFIGURATIONS

Begin by opening your NGINX configuration file. These are typically stored in etc/nginx or etc/nginx/sites-available

Once you have found your configuration file, open it up using your favorite text editor, mine, for instance, is nano. Once you are within the file search for a text block like what is display below. Make sure you swap out claudiobrt.com with the domain name that you are using.

server { listen 80 default_server;
listen [::]:80 default_server;
root /var/www/claudiobrt.com;

index index.html;

server_name claudiobrt.com ;

location / {
autoindex on;
try_files $uri $uri/ =404;
}
}

To this block of code, we will need to make some changes. Follow my steps and read my explanations of why we are making the change below.

Find

listen [::]:80 default_server

Add Below

listen 443 ssl; 

Find

server_name claudiobrt.com;  

Add Below

ssl_certificate /etc/letsencrypt/live/claudiobrt.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/claudiobrt.com/privkey.pem; 

This change tells NGINX where to find our certificate files. It will use these to set up the SSL/HTTPS connection.

The private key is what secures the actual connection only your server can read and see this file, and this file should be kept secure otherwise people could potentially intercept and decrypt your traffic.

The fullchain contains all the information needed to talk with the server over the HTTPS connection as well as the information needed to verify it is a legitimately signed SSL file.

With all those changes done, you should end up with something similar to what is displayed below. Of course, make sure you replaced claudiobrt.com with your domain name.

    server { listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
root /var/www/claudiobrt.com;

index index.html;

server_name claudiobrt.com ;

ssl_certificate /etc/letsencrypt/live/claudiobrt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/claudiobrt.com/privkey.pem;

location / {
autoindex on;
try_files $uri $uri/ =404;
}
} 

Once you are satisfied that you have entered the new data correctly, you can save and quit out of the file and then restart NGINX, so it loads in the new configuration.

Before restarting the webserver it is advised to check that there are no errors in the configuration file. We can do so with:

$ sudo nginx -t

If everything is OK we can restart NGINX just type the follwing command:

$ sudo nginx -s reload

You should now have a fully operational HTTPS connection for your NGINX web server utilizing the certificate we generated with Let’s Encrypt.


:wq

Last updated 28 Sep. 2020. Built with Emacs 27.1 (Org mode 9.3.7).

DISCLAIMER