It is a good time again to bring you some more interesting walk through post. Today’s post is a budding from the last post I did about how to install acme dns using certbot. So, I thought to do a different walk though about installing Let’s Encrypt Certbot (without acme dns) and Nginx and Apache web server.
We begin by discussing a high level overview of Let’s Encrypt Certbot and the certificates they issue.
Let’s Encrypt is a non-profit certificate authority which provides Transport Layer Security (TLS) certificates to over 300 million websites. Yes, you read that right. 300 million websites with no profit attached. Yes, they survive on the goodwill of partners and sponsors. It is managed by the Internet Security Research Group. The figure above makes Let’s Encrypt the world largest certificate provider. I have used them as far as I can remember.
The Certbot is used as a switch to translate a domain name or URL (Universal Resource Locator) from the unsecure HTTP (HyperText Transport Protocol) to the more secured HTTPS address. This is done by installing a certificate (of trust) on the domain name for your hosted application.
The certificate is typically installed in the web server (Nginx or Apache) of your remote or local machine. Certbot is also shaddled with the responsibility of renewing the certificates it installed on your domain name. This is so that the application hosted does not experience a downtime or security breech due to expired domain certificates.
I should also mention that there are many other certificate providers. However, what makes Certbot stands out is it easy installation, management and no fee attached usage. Certbot is completely free to use.
HOW TO SECURE A DOMAIN WITH LETS ENCRYPT WITH AUTO RENEWAL
We begin with installing Certbot and it’s Nginx plugin with apt:
$ sudo apt install certbot python3-certbot-nginx
Also, just as a precautionary measure, you should install the Nginx web server, if you have not done that before.
$ sudo apt install nginx
Once you got the above step done, you should configure your Nginx server block to contain the domain that points to the content you want to serve in the
$ sudo nano /etc/nginx/sites-available/example.com
If it is correct, exit your editor and move on to the next step.
If not correct, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
$ sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. The Nginx configuration is indent sensitive.
Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
$ sudo systemctl reload nginx
Ensure you allow HTTPS through the server Firewall
$ sudo ufw allow HTTPS
You can alternatively allow the FULL Nginx traffic
$sudo ufw allow NGINX FULL
Now, let’s us move to generating the certificates. Let’s Encrypt Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, run the following:
$ sudo certbot --nginx -d yourdomainname.com -d www.yourdomainname.com
Let me break down the flag passed in the above command:
--nginx: Defines the certificate is to be installed in a Nginx web server. See the next step for Apache too.
-d: Point to the domain you want to provide a Certbot certificate for. You can configure multiple domain name simultaneously using this flag.
The above will work for domain names that are serving a content. However you can also provide certificate for a standalone domain name.
$ sudo certbot certonly --standalone -d yourdomainname.com -d www.yourdomainname.com
FOR APACHE INSTALLATION:
Let’s Encrypt also make provision for Apache web server installation. Simply run
$sudo certbot --apache
Follow the prompt to complete the process with email address.
Verifying Certbot Auto-Renewal by query the status of the timer with systemctl:
Now that you have installed the certificates on your domain name in your web server, you can proceed to verify the certificates and also renew the installed certificates. You can do that in any of the ways listed below.
$ sudo systemctl status certbot.timer
$ sudo certbot renew
$ certbot certonly --force-renew -d example.com
You can also test the renewal process with a dry run with:
$ sudo certbot renew --dry-run
Just in the event you may need to do some more probing, you can check logs:
$sudo cat /var/log/nginx/error.log
TO AUTORENEW CERTIFICATES
After doing a good job of securing your business domain name, it is important to ensure the prompt renewal of the domain names. Let’s Encrypt usually renews it Certbot certificates every 3 months. You are likely to get a reminder email prior to the expiration day. You can make your machines crontab functionality auto renew your Certbot certificates.
Open the cron tab from your terminal.
$ crontab -e
Add the below code snipet to the bottom of the page. This ensure Let’s Encrypt perform holistic scan for expired certificates every day at 12 noon and renew if any.
0 12 * * * /usr/bin/certbot renew --quiet
CHECK YOUR INSTALLED CERTIFICATES
You can also check the list of certificate that has been installed for each of your domain names.
$sudo certbot certificates
ERROR: An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
This happens during certbot installation of ssl on a domain name, or during renewal.
To resolve run
$sudo systemctl restart systemd-resolved.service.
Then try reinstall the certificate again.
If that does not resolve it, you should check that your firewall or security group allow inbound and outbound traffic for ICM, and only allow ALL outbound rule for UDP and TCP connections. If it does not, you should allow them. Then retry installing the certbot ssl certificate.
Also make sure port 443 is open for HTTPS traffic.
That will be it for now. Thanks for always being here. Look out for my next post again. Cheers.