I decided to use the Let’s Encrypt offer and configure the free certificate for my website. From today you are browsing my website in a safe way.
HTTPS keeps stuff secret by encrypting it as it moves between your browser and the website’s server. This ensures that anyone listening in on the conversation can’t read anything. This could include your ISP, a hacker, snooping governments, or anyone else who manages to position themselves between you and the web server.
I encourage everyone to implement this solution on their websites. In addition, using https has a good effect on website positioning. Google is more likely to promote websites that encrypt traffic than those without encryption.
Below I will present the steps I have made to configure my web server (Nginx) on Debian to use HTTPS.
Here are other solutions for other web servers and systems.
Edit source list
sudo nano /etc/apt/source.list
Add backports (in my case it is Debian 9)
deb http://ftp.debian.org/debian stretch-backports main
Update packages list
sudo apt-get update
Install Certbot for Nginx
sudo apt-get install python-certbot-nginx -t stretch-backports
I am using UFW. These are commands to allow traffic on spcific ports.
sudo ufw allow 443/tcp
For IP Tables:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
In Nginx configuration you need to check if
server_name is set.
sudo nano /etc/nginx/sites-available/default
Add domain name to server block
server_name example.com www.example.com;
Check Nginx config
sudo nginx -t
If everything is ok, restart Nginx.
sudo service nginx restart
sudo systemctl restart nginx
If this is your first time running
certbot, you will be prompted to enter an email address and agree to the terms of service.
sudo certbot --authenticator standalone --installer nginx -d example.com -d www.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Provide your email and accept terms. Your cert will be generated.
If successful, you will be able to choose between enabling both http and https access or forcing all requests to redirect to https.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
I suggest to choose option 2. Certbot will add automatically additional lines to your website config. Once complete you will get message:
As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.
To test that this renewal process is working correctly, you can run:
sudo certbot renew --dry-run
Don’t forget to backup your keys. They are located here:
Everywhere where the above method doesn’t work you can try official, alternative method. It’s perfect for Debian 8 (Jessie).
Uninstall certbot (if installed):
sudo apt-get remove certbot
chmod a+x certbot-auto
certbot-auto accepts the same flags as
certbot; it installs all of its own dependencies and updates the client code automatically.
Certbot has an Nginx plugin, which is supported on many platforms, and automates certificate installation.
sudo /path/to/certbot-auto --nginx
Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:
sudo /path/to/certbot-auto --nginx certonly
Check if automating renewal works good:
sudo /path/to/certbot-auto renew --dry-run
Add cron task to autorenew cert:
0 0 * * 1 /path/to/certbot-auto renew --quiet --pre-hook "service nginx stop" --post-hook "service nginx start"
This will run renew at 00:00 on Monday every week with flag to silence all output except errors and another flag to restart Nginx service.