Obtaining a free SSL certificate from Let’s Encrypt

Let’s Encrypt is a service offering free SSL certificates.

The procedure for obtaining, installing and configuring a certificate for automatic renewal is fully automated through the Certbot software client.

To obtain a free certificate from Let’s Encrypt, do the following:

  • install Certbot client;

  • configure Nginx;

  • set up access to HTTPS through the firewall;

  • obtain an SSL certificate;

  • check Certbot automatic renewals.

Installation of Certbot client

To install the Certbot client, use the following command:

$ sudo apt install certbot python3-certbot-nginx

After the installation is complete, Certbot is ready to use.

Then you need to configure the Nginx web server.

Nginx configuration

To allow Certbot to configure SSL automatically, you need to set up the server block in the Nginx configuration. For this, you need to specify the server_name directive that corresponds to the domain for which the certificate is requested.

Open your domain configuration file in a text editor (for example, nano):

$ sudo nano /etc/nginx/sites-available/example.com

In the server_name line, specify the registered domain name, for example:

server_name example.com www.example.com;

Save changes then close the editor and check the syntax of your changes:

$ sudo nginx -t
If an error message is displayed, open the server block file and check it for errors.

To finish the procedure, restart Nginx to load the new configuration:

$ sudo systemctl reload nginx

After that, Certbot can find the server block and update it automatically.

Setting up HTTPS Access Through Firewall

To allow HTTPS traffic on the web server, you need to configure your firewall.

Example of a command that displays current settings of the ufw firewall:

$ sudo ufw status

If only HTTP traffic is allowed on the web server, the result will look like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx HTTP                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

After that, you need to enable the Nginx Full profile and delete the Nginx HTTP profile.

Example for the ufw firewall:

$ sudo ufw allow 'Nginx Full'

$ sudo ufw delete allow 'Nginx HTTP'

The result should look like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Obtaining an SSL certificate

Start Certbot with the --nginx parameter/ Use the -d option to specify the domain name for which you want to use the certificate, for example:

$ sudo certbot --nginx -d example.com

If Certbot is running for the first time, you will be prompted to provide an email address and accept the terms of service. After that, Certbot will contact the Let’s Encrypt server and verify the ownership of the domain for which the certificate is requested.

After that, Certbot will request the necessary HTTPS configuration parameters:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

After you select the necessary option, the configuration will be updated. Nginx will restart for the new settings to take effect.

Once the process is complete, Certbot will display a notification message with the information where your certificate is stored:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

After this process is complete, your certificate is downloaded, installed and activated.

Setting up Certbot automatic renewals

Certificates from Let’s Encrypt are valid for 90 days. The Certbot client adds a systemd timer that runs twice a day and automatically renews all certificates that are less than 30 days old.

To check the status of the timer, run the following command:

$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
● certbot.service

To verify the update process, you need to run the following command:

$ sudo certbot renew --dry-run
Certbot will automatically renew certificates and reload Nginx for the changes to take effect. If the automatic renewal fails, you will receive a warning message saying that the certificate is about to expire. The message will be sent to the email address that you provided.