Adding SSL to a Nginx served website using Certbot

Secure Sockets Layer (SSL) certificates are essential for protecting your website visitors’ data and establishing trust. Certbot, a free and open-source tool, makes it easy to obtain and manage SSL certificates, especially when combined with the popular Nginx web server. This guide will walk you through the process of installing Certbot, obtaining and installing an SSL certificate, addressing potential errors, and setting up automatic renewal.

I used this information to deploy my rails apps (Geeky, Tattle, and EventApp) with ssl certificates.

Photo by Firmbee.com on Unsplash

Step 1: Install Certbot

The easiest way to install Certbot on Ubuntu systems is using snap. Open your terminal and run the following commands:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2: Obtain and Install the Certificate

Run Certbot’s Nginx plugin with the following command:

sudo certbot --nginx

During this process, Certbot will:

• Verify domain ownership: You’ll need to confirm you control the domain(s) you want to secure.
• Choose certificate type: You can select to cover multiple subdomains (e.g., www.yourdomain.com and yourdomain.com).
• Automatically configure Nginx: Certbot will modify your Nginx configuration files to use the new certificate.

If Certbot encounters errors during installation, don’t worry! It will usually restore your original Nginx configuration.

(Optional) Enable Strong Encryption

Generate a Diffie-Hellman group for stronger encryption:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Add this line to your Nginx server block within the SSL settings:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Step 3: Addressing Installation Errors

The error “We were unable to install your certificate…” typically means a conflict in the existing Nginx configuration. Here’s how to fix it:

1. Open your Nginx configuration file for the website (usually in /etc/nginx/sites-available/).
2. Locate the server block that listens on port 443 (HTTPS).
3. Replace the existing ssl_certificate, ssl_certificate_key, and any cipher settings with the following (adjusting the domain name):

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

4. Restart Nginx

sudo nginx -s reload

Step 4: Automatic Renewal

Let’s Encrypt certificates expire after 90 days. To automate renewal, edit the crontab:

sudo crontab -e

Add the following line to run the renewal script every Monday at 2:30 AM:

30 2 * * 1 /usr/bin/certbot renew

Important Note: Ensure the path to the certbot command in the crontab line matches the actual location on your system.

Key Points

• Strong Ciphers: Prioritize strong encryption settings for maximum security.
• Regular Renewal: Automating renewal ensures your site remains secure without manual intervention.
• Firewall Configuration: Make sure your firewall allows incoming HTTPS traffic (port 443).