How to install free SSl at Ngnix in Ubuntu 16.04/18.04

 

  1. Step – Prerequisites.

Before Installing SSL certificate at Ngnix first make sure that your DNS is configured properly. All DNS record is mention in configuration file of DNS and your Domain name and IP address should be reachable. Also make sure that your Domain is pointed at your server IP address.

Domain Points to your IP address-

For pointing your domain on server IP address you have to create CAA record for you domain. CAA record allows encryption to issues certificate for your domain.

Example

Suppose natsav.com is your domain name and you have to create SSL certificate for you domain then you have to mention this record as a CAA record.

natsav.com IN CAA 0 issue “letsencrypt.org”

You can also add iodef record to make encrypt report for malicious certificate issues request.

natsav.com  IN CAA 0 iodef  “mailto:admin@natsav.com”
  1. Step – Setup Ngnix Virtual Host

Now for setup or configuration of Ngnix HTTP server for let’s encrypt tool to configure the certificate.

For Installing  Ngnix http server use this command-

 

sudo apt update

sudo apt install ngnix

After installing Ngnix next you have to create virtual host for your website configuration and you have to make sure also that it contain only those domain name that you want to create free SSL/TLS certificate.

sudo nano /etc/ngnix/sites-avaiblable/natsav.com

 In this file your domain name should highlighted

Server {

listen 80;

listen[::] : 80;

 

root  /var/www/html/natsav.com;

index  index.php  index.html index.html;

server name   natsav.com  www.natsav.com

 

client_max_body_size 100M;

 

location   /    {

         

try_files $uri  $uri/  /index.php?$args;

}

Location ~ \.php$ {

Include snippets/fastcgi-php.conf;

fastcgi_pass unix:/var/run/php/php 7.2-fpm.sock;

fastcgi_param SCRIPT_FILENAME $documen_root$fastcgi_script_name;

include fastcgi_params;

 

    }

}
  1. Step – Installing Ngnix client
Sudo apt-get install python-certbot-ngnix

 

If  python-certbot-ngnix not already install then you have to install PPA repository and install the packages.

Sudo add-apt-repository ppa:certbot/certbot

Sudo apt-get update

Sudo apt-get install python-certbot-nginx

 

After running this command you get output like this——

Sudo certbot –ngnix –agree-tos –email   admin@natsav.com  --redirect  --hsts  -d natsav.com –d www.example.com

SSL client should install and the cert  and configure your website to redirect all traffic over HTTPS.

Congratulations! You have successfully enabled https://natsav.com and

https://www.natsav.com



You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=natsav.com

https://www.ssllabs.com/ssltest/analyze.html?d=www.natsav.com

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/natsav.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/nastav.com/privkey.pem

Your cert will expire on 2018-02-24. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew *all* of

your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:



Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

Let’s encrypt can automatically add these highlighted code block file to the Ngnix site configuration file. Your site is ready to be used over HTTPS

server {

listen 80;

listen [::]:80;

root /var/www/html/natsav.com;

index  index.php index.html index.htm;

server_name  natsav.com www.natsav.com;



client_max_body_size 100M;

location / {

try_files $uri $uri/ /index.php?$args;

}

location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/natsav.com/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/nastav.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

if ($scheme != "https") {

return 301 https://$host$request_uri;

}

# managed by Certbot

# Redirect non-https traffic to https

# if ($scheme != "https") {

#     return 301 https://$host$request_uri;

# } # managed by Certbot

}

 

Now your setup is done. To test the renewal process

Sudo certbot renew –dry-run

     Now you can add cronjob to renewal Process

Sudo crontab   -e

 

Enter this line in cron job configuration file

0          1          *          *          *          /usr/bin/certbot  renew & >  /dev/null

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *