In this article we will explain how to install, manage and configure the SSL Security certificate, Let's Encypt in NGINX server used as proxy. This certificate is free but does not offer any guarantee and has to be renewed every 3 months.
We recommend that users with shell access use the ACME client called Certbot. This can automate the issuance and installation of certificates with zero downtime. It also has expert modes for people who do not want to self-configure. It's easy to use, works on many operating systems, and has great documentation.
Certbot Installation and NGINX configuration
Install Certbot's Nginx package with apt-get.
sudo apt-get install python-certbot-nginx
sudo certbot -i nginx -a webroot -w /var/www/mysite.org -d www.mysite.org
edit the nginx config file for /etc/nginx/sites-available/default.
server { listen 443 ssl; server_name mysite.org; ssl_certificate /etc/letsencrypt/live/mysite.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mysite.org/privkey.pem; location / { proxy_pass http://127.0.0.1:80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_set_header Host $host; } ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
Nginx reverse proxy with multiple ssl domains
In order to have NGINX resolve multiple domain names to independent proxies, you will need to setup a server block for each domain that you are using
server { listen 443 ssl; server_name www.site1.com; ssl_certificate /etc/letsencrypt/live/www.site1.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.site1.com/privkey.pem; # managed by Certbot location / { proxy_pass http://127.0.0.1:80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_set_header Host $host; } ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } server { listen 443 ssl; server_name admin.site2.com; ssl_certificate /etc/letsencrypt/live/admin.site2.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/admin.site2.com/privkey.pem; # managed by Certbot location / { proxy_pass http://127.0.0.1:80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_set_header Host $host; } ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
now you can test the certificates renew
certbot renew --dry-run
Now we want that the certificate renews automatically every 3 months, so we are going to add a cronjob in the server that checks the if the certificates are valid every day.
First Create a file /root/letsencrypt.sh:
#!/bin/bash systemctl reload nginx
Then make it executable:
chmod +x /root/letsencrypt.sh
Edit cron:
sudo crontab -e
And add the executable to cronjob with the line:
20 3 * * * certbot renew --noninteractive --renew-hook /root/letsencrypt.sh
Command to Delete Certbot Certificate
If you want to delete a certificate of a site, a feature exists to perform the deletion automatically for you. This command will offer an index from which you can select the domain name to delete:
$ sudo certbot delete
Type the index number of the domain name’s certificate you want to delete and press enter. The issued certificate will be then deleted.
Janeth Kent
Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN AND DEVELOPMENT.
Related Posts
How To Use Varnish As A Highly Available Load Balancer On Ubuntu 20.04 With SSL
Load balancing with high availability can be tough to set up. Fortunately, Varnish HTTP Cache server provides a dead simple highly available load balancer that will also work as a…
How to install a Linux partition on a Windows 10 PC
In spite of a past we could say almost confronted, the approach between Windows and Linux is accelerating more and more, drawing a story closer to love than to hate.…
WSL2 is released to run Linux distributions on Windows
If you are reading about this for the first time, the Windows Subsystem for Linux is a kind of virtual machine that allows you to run the Linux terminal on…
Linux For Dummies: Permissions
In the previous articles I made a short introduction to the Unix world and in the following article I have dealt with the basic commands for the file system management. Today we are…
Linux for Dummies: Ubuntu Terminal
I introduced in the previous article, available here, the basic concepts concerning the Linux world. Today we are going to have a look to some basic operations that we can perform…
Linux for Dummies: Introduction
If you have thought about migrating from Windows to a Unix operating system, or Linux specifically there are things you should know. The goal is to give essential information (and…
How to setup Free Let’s Encrypt SSL certificates with ISPConfig 3
Let’s Encrypt is an initiative to provide a better way of enabling encryption on websites. It is open, automated and above all: it offers free SSL certificates. Obtaining SSL certificates was always…
The Best RSS Readers for Ubuntu
Even if most of the tech experts actively claim that RSS (Rich Site Summary) is dead especially after Google Reader was discontinued 5 years ago but it isn’t yet as…
80 Linux Network Monitor Software & Tools for Managing & Monitoring Unix/Linux Systems
It’s hard work monitoring and debugging Linux performance problems, but it’s easier with the right tools at the right time. Finding a Linux Network Monitor tool or Software package for…
How to Set up a Fully Functional Mail Server on Ubuntu 16.04 with iRedMail
Setting up your own mail server from scratch on Linux is complex and tedious, until you meet iRedMail. This tutorial is going to show you how you can easily and…
GIMP 2.10 released: Features 32-bit support, new UI and A Ton Of Improvements
It's been over a half-decade since the GIMP 2.8 stable debut and today marks the long-awaited release of GIMP 2.10, its first major update in six years. And among other…
Setting Up SFTP on Ubuntu 16.04
I recently had a request to setup SFTP for a customer so they could manage a set of files in their environment through an FTP GUI. Being an avid user…