Introduction
Securing your web server with SSL is a crucial step in protecting your users' data and ensuring the integrity of your web application. Let’s Encrypt is a popular service that offers free SSL certificates via an automated API, with Certbot as the most commonly used client. In this guide, we'll walk through the process of creating a self-signed SSL certificate for Nginx on Ubuntu 22.04 using Certbot.
We won't delve deeply into SSL configuration, but by the end of this tutorial, you'll have a valid certificate that renews automatically. Plus, you'll know how to automate the reloading of your service to account for the renewed certificate.
Prerequisites
Before starting, ensure you have the following:
- An Ubuntu 22.04 server with a non-root user configured with sudo privileges and a basic firewall.
- A domain name pointing to your server (replace
your_domainin the tutorial with your actual domain). - Ports 80 or 443 must be free on your server. If these ports are occupied by a web server, consider using Certbot's webroot mode instead.
Step 1 — Installing Certbot
Certbot recommends using their snap package for installation. Snaps are supported on most Linux distributions, but you'll need snapd installed to manage snap packages. Ubuntu 22.04 supports snaps by default, so start by ensuring your snapd core is up to date:
sudo snap install core; sudo snap refresh core
If you have an older version of Certbot installed, remove it:
sudo apt remove certbot
Then, install the Certbot package:
sudo snap install --classic certbot
Finally, link the Certbot command to your path:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certbot is now installed, and we can proceed to obtain our SSL certificate.
Step 2 — Running Certbot
Certbot needs to respond to a cryptographic challenge issued by the Let’s Encrypt API to prove that you control your domain. It uses ports 80 (HTTP) or 443 (HTTPS) for this purpose. Open the appropriate ports in your firewall:
sudo ufw allow 80
sudo ufw allow 443
Run Certbot to obtain your certificate, using the --standalone option to let Certbot handle the challenge with its built-in web server:
sudo certbot certonly --standalone -d your_domain
You’ll need to enter an email address and accept the terms of service. If successful, Certbot will inform you where the certificates are stored.
Step 3 — Configuring Your Application
Configuring your application for SSL varies depending on the software you use, but let’s explore what Certbot has downloaded. List the directory containing your keys and certificates:
sudo ls /etc/letsencrypt/live/your_domain
The most commonly needed files are:
- privkey.pem: This is the private key for your certificate. Keep this file secure and private.
- fullchain.pem: This is your certificate bundled with any intermediate certificates. Most configurations refer to this file as the actual certificate.
For more details on the other files, check the Certbot documentation.
Step 4 — Managing Automatic Renewals with Certbot
Let’s Encrypt certificates are valid for 90 days, encouraging users to automate the renewal process. The Certbot package handles this by adding a renewal script to /etc/cron.d, which runs twice daily to renew any certificates within 30 days of expiration.
To automate tasks after renewal, such as reloading your server, add a renew_hook to Certbot’s renewal configuration:
sudo nano /etc/letsencrypt/renewal/your_domain.conf
Add the following line to reload your services after renewal:
renew_hook = systemctl reload your_service
Replace your_service with the command you need to run. Save and close the file, then perform a dry run to check for errors:
sudo certbot renew --dry-run
If there are no errors, you're all set. Certbot will now automatically renew your certificate and execute the necessary commands.
Conclusion
In this tutorial, we installed the Let’s Encrypt Certbot client, obtained an SSL certificate using the standalone mode, and set up automatic renewals with custom hooks. This process provides a solid foundation for using Let’s Encrypt certificates with various services beyond the typical web server.
Top comments (0)