[{"data":1,"prerenderedAt":677},["ShallowReactive",2],{"article-let-s-encrypt-with-nginx":3,"authors":661},{"id":4,"title":5,"author":6,"body":7,"date":652,"description":653,"extension":654,"meta":655,"navigation":173,"path":656,"seo":657,"stem":658,"thumbnail":659,"__hash__":660},"article\u002Farticle\u002Flet-s-encrypt-with-nginx.md","Let’s Encrypt with Nginx","ashwin",{"type":8,"value":9,"toc":645},"minimark",[10,15,33,36,39,43,51,86,89,107,110,114,124,127,133,148,151,209,212,215,230,233,250,253,290,296,299,302,305,393,401,407,411,414,428,434,449,452,477,482,485,513,515,517,529,531,545,548,552,555,558,570,577,580,583,586,601,604,624,626,629,632,635,638,641],[11,12,14],"h2",{"id":13},"introduction","Introduction",[16,17,18,19,26,27,32],"p",{},"Let’s see how to secure ",[20,21,22],"strong",{},[23,24,25],"em",{},"Nginx"," with ",[20,28,29],{},[23,30,31],{},"Let’s Encrypt"," on Ubuntu 14.04+.",[16,34,35],{},"Let’s Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS\u002FSSL certificates, thereby enabling encrypted HTTPS on web servers.",[37,38],"br",{},[11,40,42],{"id":41},"step-1-install-lets-encrypt-client","Step 1 - Install Let’s Encrypt Client",[16,44,45,46,50],{},"Install the ",[47,48,49],"code",{},"certbot-auto"," software on your server.",[52,53,58],"pre",{"className":54,"code":55,"language":56,"meta":57,"style":57},"language-bash shiki shiki-themes material-theme-darker","cd \u002Fusr\u002Flocal\u002Fsbin\nsudo wget https:\u002F\u002Fdl.eff.org\u002Fcertbot-auto\n","bash","",[47,59,60,73],{"__ignoreMap":57},[61,62,65,69],"span",{"class":63,"line":64},"line",1,[61,66,68],{"class":67},"sdLwU","cd",[61,70,72],{"class":71},"sfyAc"," \u002Fusr\u002Flocal\u002Fsbin\n",[61,74,76,80,83],{"class":63,"line":75},2,[61,77,79],{"class":78},"s5Dmg","sudo",[61,81,82],{"class":71}," wget",[61,84,85],{"class":71}," https:\u002F\u002Fdl.eff.org\u002Fcertbot-auto\n",[16,87,88],{},"Make it executable by typing:",[52,90,92],{"className":54,"code":91,"language":56,"meta":57,"style":57},"sudo chmod a+x \u002Fusr\u002Flocal\u002Fsbin\u002Fcertbot-auto\n",[47,93,94],{"__ignoreMap":57},[61,95,96,98,101,104],{"class":63,"line":64},[61,97,79],{"class":78},[61,99,100],{"class":71}," chmod",[61,102,103],{"class":71}," a+x",[61,105,106],{"class":71}," \u002Fusr\u002Flocal\u002Fsbin\u002Fcertbot-auto\n",[16,108,109],{},"Certbot client is now ready for use.",[11,111,113],{"id":112},"step-2-obtain-certificate","Step 2 - Obtain Certificate",[16,115,116,117,120,121,123],{},"We’ll see how to use the Webroot plugin to obtain an SSL certificate. The Webroot plugin works by placing a special file in the ",[47,118,119],{},"\u002F.well-known"," directory within your document root, which can be opened (through your web server) by the Let's Encrypt client for validation. Depending on your configuration, you may need to explicitly allow access to the ",[47,122,119],{}," directory.",[16,125,126],{},"To ensure that the directory is accessible to certbot-auto for validation, let's make a quick change to our Nginx configuration.",[16,128,129,130],{},"By default it’s located at ",[47,131,132],{},"\u002Fetc\u002Fnginx\u002Fsites-available\u002Fdefault",[52,134,136],{"className":54,"code":135,"language":56,"meta":57,"style":57},"sudo vi \u002Fetc\u002Fnginx\u002Fsites-available\u002Fdefault\n",[47,137,138],{"__ignoreMap":57},[61,139,140,142,145],{"class":63,"line":64},[61,141,79],{"class":78},[61,143,144],{"class":71}," vi",[61,146,147],{"class":71}," \u002Fetc\u002Fnginx\u002Fsites-available\u002Fdefault\n",[16,149,150],{},"Inside the server block, add this location block:",[52,152,156],{"className":153,"code":154,"language":155,"meta":57,"style":57},"language-javascript shiki shiki-themes material-theme-darker","server {\n  . . .\n\n  location ~ \u002F.well-known {\n    allow all;\n  }\n\n  . . .\n}\n","javascript",[47,157,158,163,168,175,181,187,193,198,203],{"__ignoreMap":57},[61,159,160],{"class":63,"line":64},[61,161,162],{},"server {\n",[61,164,165],{"class":63,"line":75},[61,166,167],{},"  . . .\n",[61,169,171],{"class":63,"line":170},3,[61,172,174],{"emptyLinePlaceholder":173},true,"\n",[61,176,178],{"class":63,"line":177},4,[61,179,180],{},"  location ~ \u002F.well-known {\n",[61,182,184],{"class":63,"line":183},5,[61,185,186],{},"    allow all;\n",[61,188,190],{"class":63,"line":189},6,[61,191,192],{},"  }\n",[61,194,196],{"class":63,"line":195},7,[61,197,174],{"emptyLinePlaceholder":173},[61,199,201],{"class":63,"line":200},8,[61,202,167],{},[61,204,206],{"class":63,"line":205},9,[61,207,208],{},"}\n",[16,210,211],{},"Save and exit.",[16,213,214],{},"Check the configuration file for syntax errors:",[52,216,218],{"className":54,"code":217,"language":56,"meta":57,"style":57},"sudo nginx -t\n",[47,219,220],{"__ignoreMap":57},[61,221,222,224,227],{"class":63,"line":64},[61,223,79],{"class":78},[61,225,226],{"class":71}," nginx",[61,228,229],{"class":71}," -t\n",[16,231,232],{},"If all is well, restart Nginx with this command:",[52,234,236],{"className":54,"code":235,"language":56,"meta":57,"style":57},"sudo service nginx restart\n",[47,237,238],{"__ignoreMap":57},[61,239,240,242,245,247],{"class":63,"line":64},[61,241,79],{"class":78},[61,243,244],{"class":71}," service",[61,246,226],{"class":71},[61,248,249],{"class":71}," restart\n",[16,251,252],{},"Now we can use the Webroot plugin to request an SSL certificate with these commands.",[52,254,258],{"className":255,"code":256,"language":257,"meta":57,"style":57},"language-shell shiki shiki-themes material-theme-darker","sudo certbot-auto certonly -a webroot --webroot-path=\u002Fusr\u002Fshare\u002Fnginx\u002Fhtml -d example.com -d www.example.com\n","shell",[47,259,260],{"__ignoreMap":57},[61,261,262,264,267,270,273,276,279,282,285,287],{"class":63,"line":64},[61,263,79],{"class":78},[61,265,266],{"class":71}," certbot-auto",[61,268,269],{"class":71}," certonly",[61,271,272],{"class":71}," -a",[61,274,275],{"class":71}," webroot",[61,277,278],{"class":71}," --webroot-path=\u002Fusr\u002Fshare\u002Fnginx\u002Fhtml",[61,280,281],{"class":71}," -d",[61,283,284],{"class":71}," example.com",[61,286,281],{"class":71},[61,288,289],{"class":71}," www.example.com\n",[291,292,293],"blockquote",{},[16,294,295],{},"(replace example.com with your domain name, duh!)",[16,297,298],{},"If you are using certbot for the first time you will be prompted for some information.",[16,300,301],{},"Initial prompt would be to enter your email address, then you must agree to the Let’s Encrypt Subscribe Agreement.(Select Agree)",[16,303,304],{},"If everything was successful, you should see an output message that looks something like this:",[52,306,310],{"className":307,"code":308,"language":309,"meta":57,"style":57},"language-jsdoc shiki shiki-themes material-theme-darker","IMPORTANT NOTES:\n - If you lose your account credentials, you can recover through\n   e-mails sent to sammy@digitalocean.com\n - Congratulations! Your certificate and chain have been saved at\n   \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Ffullchain.pem. Your\n   cert will expire on 2016-03-15. To obtain a new version of the\n   certificate in the future, simply run Let's Encrypt again.\n - Your account credentials have been saved in your Let's Encrypt\n   configuration directory at \u002Fetc\u002Fletsencrypt. You should make a\n   secure backup of this folder now. This configuration directory will\n   also contain certificates and private keys obtained by Let's\n   Encrypt so making regular backups of this folder is ideal.\n - If like Let's Encrypt, please consider supporting our work by:\n   Donating to ISRG \u002F Let's Encrypt:   https:\u002F\u002Fletsencrypt.org\u002Fdonate\n   Donating to EFF:                    https:\u002F\u002Feff.org\u002Fdonate-le\n","jsdoc",[47,311,312,317,322,327,332,337,342,347,352,357,363,369,375,381,387],{"__ignoreMap":57},[61,313,314],{"class":63,"line":64},[61,315,316],{},"IMPORTANT NOTES:\n",[61,318,319],{"class":63,"line":75},[61,320,321],{}," - If you lose your account credentials, you can recover through\n",[61,323,324],{"class":63,"line":170},[61,325,326],{},"   e-mails sent to sammy@digitalocean.com\n",[61,328,329],{"class":63,"line":177},[61,330,331],{}," - Congratulations! Your certificate and chain have been saved at\n",[61,333,334],{"class":63,"line":183},[61,335,336],{},"   \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Ffullchain.pem. Your\n",[61,338,339],{"class":63,"line":189},[61,340,341],{},"   cert will expire on 2016-03-15. To obtain a new version of the\n",[61,343,344],{"class":63,"line":195},[61,345,346],{},"   certificate in the future, simply run Let's Encrypt again.\n",[61,348,349],{"class":63,"line":200},[61,350,351],{}," - Your account credentials have been saved in your Let's Encrypt\n",[61,353,354],{"class":63,"line":205},[61,355,356],{},"   configuration directory at \u002Fetc\u002Fletsencrypt. You should make a\n",[61,358,360],{"class":63,"line":359},10,[61,361,362],{},"   secure backup of this folder now. This configuration directory will\n",[61,364,366],{"class":63,"line":365},11,[61,367,368],{},"   also contain certificates and private keys obtained by Let's\n",[61,370,372],{"class":63,"line":371},12,[61,373,374],{},"   Encrypt so making regular backups of this folder is ideal.\n",[61,376,378],{"class":63,"line":377},13,[61,379,380],{}," - If like Let's Encrypt, please consider supporting our work by:\n",[61,382,384],{"class":63,"line":383},14,[61,385,386],{},"   Donating to ISRG \u002F Let's Encrypt:   https:\u002F\u002Fletsencrypt.org\u002Fdonate\n",[61,388,390],{"class":63,"line":389},15,[61,391,392],{},"   Donating to EFF:                    https:\u002F\u002Feff.org\u002Fdonate-le\n",[291,394,395],{},[16,396,397,400],{},[20,398,399],{},"Firewall Note:"," If you receive an error like \"Failed to connect to host\" for DVSNI challenge, your server's firewall may need to be configured to allow TCP traffic on port 80 and 443.",[16,402,403,406],{},[20,404,405],{},"Note:"," If your domain is routing through a DNS service like CloudFlare, you will need to temporarily disable it until you have obtained the certificate.",[11,408,410],{"id":409},"step-3-configure-tlsssl-on-web-server-nginx","Step 3 - Configure TLS\u002FSSL on Web Server (Nginx)",[16,412,413],{},"Now we need to configure Nginx web server to use the SSL Certificate.",[52,415,417],{"className":54,"code":416,"language":56,"meta":57,"style":57},"sudo nano \u002Fetc\u002Fnginx\u002Fsites-available\u002Fdefault\n",[47,418,419],{"__ignoreMap":57},[61,420,421,423,426],{"class":63,"line":64},[61,422,79],{"class":78},[61,424,425],{"class":71}," nano",[61,427,147],{"class":71},[16,429,430,433],{},[20,431,432],{},"Comment"," out the below lines:",[52,435,437],{"className":153,"code":436,"language":155,"meta":57,"style":57},"listen 80 default_server;\nlisten [::]:80 default_server ipv6only=on;\n",[47,438,439,444],{"__ignoreMap":57},[61,440,441],{"class":63,"line":64},[61,442,443],{},"listen 80 default_server;\n",[61,445,446],{"class":63,"line":75},[61,447,448],{},"listen [::]:80 default_server ipv6only=on;\n",[16,450,451],{},"Now let’s configure this server block to listen on port 443 with SSL enabled instead.",[52,453,455],{"className":153,"code":454,"language":155,"meta":57,"style":57},"listen 443 ssl;\nserver_name example.com www.example.com;\nssl_certificate \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Ffullchain.pem;\nssl_certificate_key \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Fprivkey.pem;\n",[47,456,457,462,467,472],{"__ignoreMap":57},[61,458,459],{"class":63,"line":64},[61,460,461],{},"listen 443 ssl;\n",[61,463,464],{"class":63,"line":75},[61,465,466],{},"server_name example.com www.example.com;\n",[61,468,469],{"class":63,"line":170},[61,470,471],{},"ssl_certificate \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Ffullchain.pem;\n",[61,473,474],{"class":63,"line":177},[61,475,476],{},"ssl_certificate_key \u002Fetc\u002Fletsencrypt\u002Flive\u002Fexample.com\u002Fprivkey.pem;\n",[291,478,479],{},[16,480,481],{},"(again, example.com with your domain name)",[16,483,484],{},"Lastly, outside of the original server block (that is listening on HTTPS, port 443), add this server block to redirect HTTP (port 80) to HTTPS. Be sure to replace example.com with your own domain name.",[52,486,488],{"className":153,"code":487,"language":155,"meta":57,"style":57},"server {\n  listen 80;\n  server_name example.com www.example.com;\n  return 301 https:\u002F\u002F$host$request_uri;\n}\n",[47,489,490,494,499,504,509],{"__ignoreMap":57},[61,491,492],{"class":63,"line":64},[61,493,162],{},[61,495,496],{"class":63,"line":75},[61,497,498],{},"  listen 80;\n",[61,500,501],{"class":63,"line":170},[61,502,503],{},"  server_name example.com www.example.com;\n",[61,505,506],{"class":63,"line":177},[61,507,508],{},"  return 301 https:\u002F\u002F$host$request_uri;\n",[61,510,511],{"class":63,"line":183},[61,512,208],{},[16,514,211],{},[16,516,214],{},[52,518,519],{"className":54,"code":217,"language":56,"meta":57,"style":57},[47,520,521],{"__ignoreMap":57},[61,522,523,525,527],{"class":63,"line":64},[61,524,79],{"class":78},[61,526,226],{"class":71},[61,528,229],{"class":71},[16,530,232],{},[52,532,533],{"className":54,"code":235,"language":56,"meta":57,"style":57},[47,534,535],{"__ignoreMap":57},[61,536,537,539,541,543],{"class":63,"line":64},[61,538,79],{"class":78},[61,540,244],{"class":71},[61,542,226],{"class":71},[61,544,249],{"class":71},[16,546,547],{},"The Let’s Encrypt TLS\u002FSSL certificate is now in place. At this point, you should test that the TLS\u002FSSL certificate works by visiting your domain via HTTPS in a web browser.",[11,549,551],{"id":550},"step-4-set-up-auto-renewal","Step 4 - Set Up Auto Renewal",[16,553,554],{},"Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error.",[16,556,557],{},"To trigger the renewal process for all installed domains, run this command:",[52,559,561],{"className":54,"code":560,"language":56,"meta":57,"style":57},"certbot-auto renew\n",[47,562,563],{"__ignoreMap":57},[61,564,565,567],{"class":63,"line":64},[61,566,49],{"class":78},[61,568,569],{"class":71}," renew\n",[16,571,572,573,576],{},"It will only work if your certificate has expired else it would show — ** ",[47,574,575],{},"No renewals were attempted","**",[16,578,579],{},"A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you.",[16,581,582],{},"The renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, hence it is safe to create a cron job that runs every week or even every day, for instance.",[16,584,585],{},"Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:",[52,587,589],{"className":54,"code":588,"language":56,"meta":57,"style":57},"sudo crontab -e\n",[47,590,591],{"__ignoreMap":57},[61,592,593,595,598],{"class":63,"line":64},[61,594,79],{"class":78},[61,596,597],{"class":71}," crontab",[61,599,600],{"class":71}," -e\n",[16,602,603],{},"Add these lines:",[52,605,607],{"className":153,"code":606,"language":155,"meta":57,"style":57},"#crontab entry\n30 2 * * 1 \u002Fusr\u002Flocal\u002Fsbin\u002Fcertbot-auto renew >> \u002Fvar\u002Flog\u002Fle-renew.log\n35 2 * * 1 \u002Fetc\u002Finit.d\u002Fnginx reload\n",[47,608,609,614,619],{"__ignoreMap":57},[61,610,611],{"class":63,"line":64},[61,612,613],{},"#crontab entry\n",[61,615,616],{"class":63,"line":75},[61,617,618],{},"30 2 * * 1 \u002Fusr\u002Flocal\u002Fsbin\u002Fcertbot-auto renew >> \u002Fvar\u002Flog\u002Fle-renew.log\n",[61,620,621],{"class":63,"line":170},[61,622,623],{},"35 2 * * 1 \u002Fetc\u002Finit.d\u002Fnginx reload\n",[16,625,211],{},[16,627,628],{},"This will create a new cron job that will execute the certbot-auto renew command every Monday at 2:30 am, and reload Nginx at 2:35am (so the renewed certificate will be used).",[16,630,631],{},"The output produced by the command will be piped to a log file located at \u002Fvar\u002Flog\u002Fle-renewal.log.",[16,633,634],{},"That’s it! Your web server is now using a free Let’s Encrypt TLS\u002FSSL certificate to securely serve HTTPS content.",[16,636,637],{},"Hope this helps for developers who are new in using Digital Ocean\u002F Amazon Servers and want to use free Let’s Encrypt TLS\u002FSSL certificate.",[16,639,640],{},"That’s the end of this blog! Thanks for reading! If you like it, please hit 👍🏻❤️",[642,643,644],"style",{},"html pre.shiki code .sdLwU, html code.shiki .sdLwU{--shiki-default:#82AAFF}html pre.shiki code .sfyAc, html code.shiki .sfyAc{--shiki-default:#C3E88D}html pre.shiki code .s5Dmg, html code.shiki .s5Dmg{--shiki-default:#FFCB6B}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":57,"searchDepth":75,"depth":75,"links":646},[647,648,649,650,651],{"id":13,"depth":75,"text":14},{"id":41,"depth":75,"text":42},{"id":112,"depth":75,"text":113},{"id":409,"depth":75,"text":410},{"id":550,"depth":75,"text":551},"2019-07-17T03:37:52.513Z","Secure your website on Nginx with Let's Encrypt","md",{},"\u002Farticle\u002Flet-s-encrypt-with-nginx",{"title":5,"description":653},"article\u002Flet-s-encrypt-with-nginx","\u002Fimg\u002Flets-encrypt.png","h7RVw41IELOgoJZyA2rYd6yMZ1IkN0FQ3dLf0yPS7iQ",{"id":662,"extension":663,"meta":664,"stem":675,"__hash__":676},"author\u002Fauthor\u002FauthorDetails.json","json",{"body":665},[666,670],{"id":6,"fullName":667,"description":668,"image":669},"Ashwin K Shenoy","Hi! I am Ashwin, an Software Engineer and Consultant based out of Bengaluru, India.","https:\u002F\u002Fsimpletech.xyz\u002Fimg\u002Fauthor\u002Fashwin.jpg",{"id":671,"fullName":672,"description":673,"image":674},"paul","Paul Shan","Hello! I am Paul, a front end engineer and consultant based out of Bengaluru, India.","https:\u002F\u002Fashwinshenoy.com\u002Fimg\u002Fashwin2.jpg","author\u002FauthorDetails","k8atXxcwAcv_rjC8llPba18X62upiKWYGU5dL4-S4lw",1781858323664]