- Step – Prerequisites.
Before Installing SSL certificate at Ngnix first make sure that your DNS is configured properly. All DNS record is mention in configuration file of DNS and your Domain name and IP address should be reachable. Also make sure that your Domain is pointed at your server IP address.
Domain Points to your IP address-
For pointing your domain on server IP address you have to create CAA record for you domain. CAA record allows encryption to issues certificate for your domain.
Example
Suppose natsav.com is your domain name and you have to create SSL certificate for you domain then you have to mention this record as a CAA record.
natsav.com IN CAA 0 issue “letsencrypt.org”
You can also add iodef record to make encrypt report for malicious certificate issues request.
natsav.com IN CAA 0 iodef “mailto:admin@natsav.com”
- Step – Setup Ngnix Virtual Host
Now for setup or configuration of Ngnix HTTP server for let’s encrypt tool to configure the certificate.
For Installing Ngnix http server use this command-
sudo apt update sudo apt install ngnix
After installing Ngnix next you have to create virtual host for your website configuration and you have to make sure also that it contain only those domain name that you want to create free SSL/TLS certificate.
sudo nano /etc/ngnix/sites-avaiblable/natsav.com
In this file your domain name should highlighted
Server {
listen 80;
listen[::] : 80;
root /var/www/html/natsav.com;
index index.php index.html index.html;
server name natsav.com www.natsav.com
client_max_body_size 100M;
location / {
try_files $uri $uri/ /index.php?$args;
}
Location ~ \.php$ {
Include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php 7.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $documen_root$fastcgi_script_name;
include fastcgi_params;
}
}
- Step – Installing Ngnix client
Sudo apt-get install python-certbot-ngnix
If python-certbot-ngnix not already install then you have to install PPA repository and install the packages.
Sudo add-apt-repository ppa:certbot/certbot Sudo apt-get update Sudo apt-get install python-certbot-nginx
After running this command you get output like this——
Sudo certbot –ngnix –agree-tos –email admin@natsav.com --redirect --hsts -d natsav.com –d www.example.com
SSL client should install and the cert and configure your website to redirect all traffic over HTTPS.
Congratulations! You have successfully enabled https://natsav.com and https://www.natsav.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=natsav.com https://www.ssllabs.com/ssltest/analyze.html?d=www.natsav.com
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/natsav.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/nastav.com/privkey.pem Your cert will expire on 2018-02-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s encrypt can automatically add these highlighted code block file to the Ngnix site configuration file. Your site is ready to be used over HTTPS
server {
listen 80;
listen [::]:80;
root /var/www/html/natsav.com;
index index.php index.html index.htm;
server_name natsav.com www.natsav.com;
client_max_body_size 100M;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/natsav.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nastav.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
# managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
Now your setup is done. To test the renewal process
Sudo certbot renew –dry-run
Now you can add cronjob to renewal Process
Sudo crontab -e
Enter this line in cron job configuration file
0 1 * * * /usr/bin/certbot renew & > /dev/null