Introduction
To configure Nginx security we are going to use certification authority (CA) to install free sertificates TLS/SSL, thus providing encryption for HTTPS on web servers.
In our instruction we are going to look through abilities of Certbot usage, to receive free SSL-sertificate for Nginx web-sever on Debian 10 and consider configuring automatic update of sertificates.
Preparation
We should do some steps before starting the main task:
- Start a server with Ubuntu or Debian and configure it with our instruction. Set permissions for the new user and set up a firewall.
- Register the domain name. In our instruction we are going to use serverspace.tm as our domain name.
- Install and configure Nginx using instructions.
Installing Certbot
According to the Certbot documentation, it is recommended to install the package via snap. You need to make sure that the snapd kernel is installed and up to date.
snap install core && snap update core
We are going to install certbot package via snap:
snap install --classic certbot
After installation, we are going to create symbolic link for executing certbot from the /usr/bin/ directory:
ln -s /snap/bin/certbot /usr/bin/certbot
After succesfull installation of certbot we can move to Nginx configuration.
Nginx configuration
Certbot searches for the server_name string in the Nginx configuration files and automatically configures SSL:
cp /etc/nginx/sites-avaliable/default /etc/nginx/sites-avaliable/serverspace.tm
vim /etc/nginx/sites-avaliable/serverspace.tm
...
server_name serverspace.tm www.serverspace.tm
...
And exit by saving with:
:wq!
Check configuration status after changing files with:
nginx -t
If you receive the following error message while testing the configuration:
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
Then comment out the line listen [::]:80; in /etc/nginx/sites/avaliable/ file.
After making sure that the code written in our configuration files is correct, we will restart nginx:
service nginx restart
Allow HTTPS via ufw
Ufw the firewall must be configured according to the instructions and allow full access to connect to Nginx:
ufw allow 'Nginx Full'
Delete the old permission Nginx HTTP:
ufw delete allow 'Nginx HTTP'
Check the firewall status via:
ufw status
Next, run certbot and start getting a certificate
SSL-sertificates
Run the following command to obtain a certificate for our domain:
certbot --nginx -d serverspace.tm -d www.serverspace.tm
In the process, you will need to enter an email address and get the results of the path to the certificates and the expiration date of the certificates.
After all the settings, received certificates, our web requests will be redirected to https:// automatically.
Autoupdate Certbot
Let's test the update process by running certbot:
certbot renew --dry-run
If the command ran successfully, then certbot is running without errors.
If automatic renewal fails, we will receive a message to the previously specified email address when configuring certificates.
Conslusion
In our instruction we looked through:
-
- Setting up a domain configuration for Nginx;
- Installing certbot from the snap package manager;
- Installation of certificates;
- Running update certbot.