Sunday, September 25, 2022

Secure Nginx with Let’s Encrypt on Debian 11

In this article, we want to teach you How To Secure Nginx with Let’s Encrypt on Debian 11.

Let’s Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client. These certificates can be used to encrypt communication between your web server and your users.

How To Secure Nginx with Let’s Encrypt on Debian 11

To secure your Nginx web server, you need some requirements.

Requirements

First, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide the Initial Server Setup with Debian 11.

Then, you need to have Nginx installed on your server. To do this, you can check this guide How To Install Nginx on Debian 11.

Now follow the steps below to Secure Nginx with Let’s Encrypt.

Install Certbot on Debian 11

Here you need to install certbot and its Nginx plugin with the following command:

sudo apt install certbot python3-certbot-nginx

Then, you should check the Nginx configuration file on Debian 11 and check that the server name points to your domain name. Open the file with your favorite text editor, here we use vi:

sudo vi /etc/nginx/sites-available/example.com

Remember to replace your domain name in the commands.

Find the server_name line and it should look like this:

...
server_name example.com www.example.com;
...

When you are done, save and close the file.

Verify your Nginx configuration edits on Ubuntu 20.04 with the following command:

sudo nginx -t

In your output you will see:

Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Then, reload Nginx to apply the new changes:

sudo systemctl reload nginx

At this point, you should allow HTTPS through the firewall to secure your Nginx on Ubuntu Debian 11. First, check your firewall status with the following command:

sudo ufw status

In your output you will see:

Output
Status: active
To                         Action      From
--                         ------      ----
Nginx HTTP                 ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
Nginx HTTP (v6)            ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

You should allow Nginx Full through the firewall and delete the Nginx HTTP with the following commands on Ubuntu Debian 11:

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

Now you can start to run certbot and get your SSL certificate.

Get an SSL certificate with Let’s Encrypt on Debian 11

Certbot provides different ways to get SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary on Debian 11. To use this plugin, run the following command:

sudo certbot --nginx -d example.com

The above command will use for a single domain if you have multiple domains you can use the following command:

sudo certbot --nginx -d example.com -d www.example.com

You will be asked some questions. The first is to enter your email address and agree to the terms of service. Then, you will be asked Would you be willing to share your email address with the Electronic Frontier Foundation. Answer it by your choice. Also, certbot will ask you how you’d like to configure your HTTPS settings. Select your choice and hit enter.

in your output you will see:

Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2022-09-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Here your SSL certificates are downloaded, installed, and loaded. Your Nginx is secured with Let’s Encrypt on Debian 11. Now you can load your website by https:// and notice your browser’s security indicator.
Also, you can use the SSL Labs Servers Test to get an A grade.
As you know Let’s Encrypt certificates are valid for 90 days. Because of this, you can renew your process.
The certbot package takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with the following command:
sudo systemctl status certbot.timer
Output
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Mon 2022-06-20 02:36:55 EDT; 5min ago
Trigger: Mon 2022-06-20 21:17:16 EDT; 18h left
Triggers: ● certbot.service

Now you can test the renewal process with certbot:
sudo certbot renew --dry-run
Output
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
If you don’t see any errors, means that everything is ok.

Conclusion

At this point, you learn to secure your Nginx with Let’s Encrypt on Debian 11.
Hope you enjoy it.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles