LetsEncrypt offers free SSL certificates for websites, allowing you to protect users who access your site.
This guide will go step by step moving an unencrypted HTTP website to using HTTPS on Nginx. For the purpose of this guide, I’ll be using the website guide.highguard.net. There is no content there.
Lets start with the site in nginx.
server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}
Right now the URL guide.highguard.net will show whatever is located at /var/www/guide/index/html on the server. To enable HTTPS we will need to get a certificate from LetsEncrypt using CertBot, then set up the site to use it and also redirect HTTP requests to use HTTPS in an intelligent manner. Lets start with getting the certificate.
Install Certbot with apt install python-certbot python-certbot-nginx
, if you are using a distribution other than Debian, the package may have a different name or might not be available. The binary can be downloaded from the EFF.
Use Certbot to automatically create a challenge, request the certificate, download it, and install it.
certbot --nginx certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: guide.highguard.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for guide.highguard.net
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0000_key.pem
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
The certificate is generated and dropped into /etc/letsencrypt/live/guide.highguard.net/. Now we can make changes to the config file for the site to take advantage of the certificate. The easiest way to do that is to change the top of the server block so that it will use SSL, then add a new server block that uses non-SSL to redirect unencrypted connections to HTTPS.
The new server block:
server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
access_log off;
log_not_found_off;
}
Then put the old server block right below that with minor changes. Change the listen ports from 80 to 443 ssl and add the path to the cert.
server {
server_name guide.highguard.net;
listen 443 ssl;
listen [::] 443 ssl;
ssl_certificate /etc/letsencrypt/live/guide.highguard.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guide.highguard.net/privkey.pem;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}