How to Install Letsencrypt Certificates With Certbot in Ubuntu

by Janeth Kent Date: 09-05-2020 ubuntu linux ssl certbot letsencrypt


In this article we will explain how to install, manage and configure the SSL Security certificate, Let's Encypt in NGINX server used as proxy. This certificate is free but does not offer any guarantee and has to be renewed every 3 months.
We recommend that users with shell access use the ACME client called Certbot. This can automate the issuance and installation of certificates with zero downtime. It also has expert modes for people who do not want to self-configure. It's easy to use, works on many operating systems, and has great documentation.

Certbot Installation and NGINX configuration

Install Certbot's Nginx package with apt-get.

sudo apt-get install python-certbot-nginx
sudo certbot -i nginx -a webroot -w /var/www/mysite.org -d www.mysite.org

edit the nginx config file for /etc/nginx/sites-available/default.

server {
listen 443 ssl;
server_name mysite.org;
ssl_certificate /etc/letsencrypt/live/mysite.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.org/privkey.pem;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

Nginx reverse proxy with multiple ssl domains

In order to have NGINX resolve multiple domain names to independent proxies, you will need to setup a server block for each domain that you are using

server {
        listen 443 ssl;

        server_name www.site1.com;
    	ssl_certificate /etc/letsencrypt/live/www.site1.com/fullchain.pem; # managed by Certbot
    	ssl_certificate_key /etc/letsencrypt/live/www.site1.com/privkey.pem; # managed by Certbot


        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
        
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

server {
        listen 443 ssl;

        server_name admin.site2.com;
    	ssl_certificate /etc/letsencrypt/live/admin.site2.com/fullchain.pem; # managed by Certbot
    	ssl_certificate_key /etc/letsencrypt/live/admin.site2.com/privkey.pem; # managed by Certbot

        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
        
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

now you can test the certificates renew

certbot renew --dry-run


Now we want that the certificate renews automatically every 3 months, so we are going to add a cronjob in the server that checks the if the certificates are valid every day. 

First Create a file /root/letsencrypt.sh:

#!/bin/bash
systemctl reload nginx

Then make it executable:

chmod +x /root/letsencrypt.sh


Edit cron:

sudo crontab -e

And add the executable to cronjob with the line:

20 3 * * * certbot renew --noninteractive --renew-hook /root/letsencrypt.sh

Command to Delete Certbot Certificate

If you want to delete a certificate of a site, a feature exists to perform the deletion automatically for you. This command will offer an index from which you can select the domain name to delete:

$ sudo certbot delete

Type the index number of the domain name’s certificate you want to delete and press enter. The issued certificate will be then deleted.

 
by Janeth Kent Date: 09-05-2020 ubuntu linux ssl certbot letsencrypt hits : 2878  
 
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN END DEVELOPMENT.

 
 
 

Related Posts

ALL USERSUSER