](https://res.cloudinary.com/practicaldev/image/fetch/s--_9_NQd68--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn-images-1.medium.com/max/3840/1%2A49glYe-285UPvYW9xp7JFw.jpeg)
If you’re lazy like me, you would use certbot to create certificates for HTTPS. This is my preferred method because it’s simple, fast, and can automatically renew a certificate when it expired. Unfortunately, the world ain’t all sunshine and rainbows. There are some occasions where certbot can’t immediately create a certificate, such as:
The server is behind a VPN. Usually, there is a proxy that is already set up. If this is not the case for you, then I hope you know the list of things where the proxy should be set up.
The web server is behind a secured TLD, such as .app. This means you can’t access it on HTTP protocol and certbot can’t create a certification. This is because, on default, certbot uses the HTTP-01 challenge, which means this challenge would fail on the webserver.
If you’re here because of the first reason, then I recommend configuring the proxy for the certbot. Because sooner or later you will need to configure it for automatic certificate renewal. Your future self will thank you if you do this hard work now.
In my case, I have some websites that use the .app domain. Because of this, I need to learn how to set up a certificate manually. For the explanation, I will skip over the certificate creation because it’s already generated in my domain provider. If you want to refresh your understanding of HTTPS, you can check this helpful comic from HowHTTPSWorks.
So the first step is getting your certificate. In my case, I used porkbun as my provider. There will 4 files in the given zip: domain.cert.pem, intermediate.cert.pem, private.key.pem, public.key.pem. If you’re used to certbot file naming like me, this mapping will helps you:
domain.cert.pem (Porkbun) -> fullchain.pem (certbot) -> ssl_certificate (nginx)
intermediate.cert.pem (Porkbun) -> chain.pem (certbot) ->ssl_trusted_certificate(nginx)
private.key.pem (Porkbun) -> privkey.pem (certbot) -> ssl_certificate_key
public.key.pem (Porkbun) -> cert.pem (certbot)
If you want to understand these files more, you can check these StackOverflow discussions:
Now you need to move this file to your server. We can just use SCP to move it like this:
scp artilearn.app-ssl-bundle host@ipaddress:~/
The SSL certificate is successfully copied to our remote server. Now we need to put our website on the server. For this tutorial purpose, we will just use a dummy HTML file just to test our SSL.
The last step is to configure the Nginx config file. We only need to configure 4 things:
The port where our website will be (Line 2)
SSL Certificate for the website (Line 3–5)
Root folder of our website (Line 6)
-
Domain name of our website (Line 7)
Now restart the Nginx service with sudo systemctl restart nginx. When you check https://artilearn.app/dummy.html, our HTML file will successfully appear with the correct certificate!
Now our certificate has been successfully set up. But don’t forget this certificate is manually set up, and we haven’t configured any automatic renewal. But how should we do it? Well, we can go to the first sentence in this article: Being lazy and using certbot. We can do this now because our website can now be accessed from the HTTPS URL, which HTTP-01 challenge approves this method. Now just go to the certbot site and follow the simple step there!
Hello, I’m Adyaksa, and I write about software development and my language learning experience. I’m planning to release a weekly blog about something that I find interesting while working on my side projects. If you’re interested, you can follow me to keep updated about it!
This article is crossposted from my Medium account. You can follow it to get my latest article earlier.
Top comments (0)