Published | 26/03/2018 |
---|---|
Last Updated | 20/11/2024 |
15th Jan 2024: added command for Ubuntu 20+
Suppose we have a running website example.com
with proper Nginx config for HTTP access. Follow three steps below we will have the website secured with HTTPS using Let's Encrypt certificates.
sh # Ubuntu 20+ sudo apt-get install python3-certbot-nginx # Earlier versions sudo add-apt-repository ppa:certbot/certbot # press enter to accept sudo apt-get update sudo apt-get install python-certbot-nginx
sudo certbot --nginx -d example.com
If this is the first time running certbot it will ask for your email, acceptance to terms of services then doing the challenge for the domain. If the process is successful it will continue to ask if you want to redirect http to https
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and hit enter, nginx config for the domain will be updated and reload. Testing your site to verify it works.
Let's Encrypt certificates last for 90 days so we need to renew certificates before they expire.
To test renewal process, make a dry run
sudo certbot renew --dry-run
Make certbot renewal automatically by adding the command to cron
15 3 * * * /usr/bin/certbot renew --quiet
Note: If using CloudFlare the TLS-SNI challenge used by renew command would not work. We need to append this option to the renew command
15 3 * * * /usr/bin/certbot renew --quiet --preferred-challenges http