Blog

Install and Secure Nginx with Let’s Encrypt in Debian 10

Introduction

Nginx web service is one of the most popular web servers in the world and is used as a web service in large and highly visited websites. Let’s Encrypt is an SSL or CA security certificate issuer that is free to install on the web server and use as an HTTPS protocol. In this tutorial, we will learn how to install Nginx on Debian 10, how to install Let’s Encrypt as an SSL certificate issuer, and how to automatically update SSL.

Prerequisites

  • Make sure you are logged in with a user with sudo access to the server.
  • A registered domain with the required records as follows:
    • A record with example.com and a reference to the server’s IP address
    • A record with your www.example.com refers to the server’s IP address (optional)

Note: example.com is your domain address (for example hetzner.com)

Step 1 – Install Nginx web server

The Nginx package is available by default on Debian and can be installed on the server using the Debian package management.

Before that, we need to update the local packages index using the following command.

sudo apt update

We can now install Nginx using the following command.

sudo apt install nginx

To confirm the installation, press Enter and then Nginx and related packages will be installed.

Step 2 – Check the web server

After installing Nginx, the web server has already started and must work properly.

Using the following command, we can check the current state of Nginx.

systemctl status nginx

Sample output:

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-04-05 00:52:54 UTC; 23min 15s ago
     Docs: man:nginx(8)
 Main PID: 3942 (nginx)
    Tasks: 3 (limit: 4719)
   Memory: 6.1M
   CGroup: /system.slice/nginx.service
           ├─3942 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─3943 nginx: worker process
           └─3944 nginx: worker process

As you can see above, the web service has been successfully started.

To verify the correct operation, we can enter the IP address of our server in a browser. If you do not know the IP address of your server, you can use the following command to find the IP of the server.

curl ifconfig.co

Step 3 – Configure server block settings

When using Nginx Web Server, we can use server blocks (similar to virtual hosts in Apache) to configure details and host more than one domain on the server.

The Nginx web server in Debian 10 has an active server block by default in /var/www/html. This configuration is suitable for using a site on the server, but if we need to manage multiple sites on the server, we need changes to control the websites.

Create a directory or branch using the following command.

sudo mkdir -p /var/www/example.com/html

Next, we assign the ownership of the directory to the environmental variable $USER.

Note: $USER is the current user of the system or server.

sudo chown -R $USER:$USER /var/www/example.com/html

Using the following command, we set the correct permissions on our directory.

sudo chmod -R 755 /var/www/example.com

Then use an editor (such as vi) to create an index.html file as an instance.

sudo vi /var/www/example.com/html/index.html

In the created file, we add the following HTML code sample.

Success! Welcome to "example.com".

Save the file and exit.

In order for Nginx to be able to process and deliver this content, we need to create a server block with the correct instructions that point to our created directory. To not change the default configuration, we create a new configuration file with /etc/nginx/sites-available/example.com.

sudo vi /etc/nginx/sites-available/example.com

Add the following contents and settings to the created file.

server {
        listen 80;
        listen [::]:80;

        root /var/www/example.com/html;
        index index.php index.html index.htm;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

In the following, we will add a link from the config file created to the active directories.

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now the created server block has been activated and configured.

Using the following command, we make sure that there is no error in making changes and configurations.

sudo nginx -t

If the settings are done correctly, we will encounter the following output.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

After configuring, reload Nginx to apply the changes.

sudo systemctl reload nginx

Step 4 – Install Certbot

The first step in using Let’s Encrypt and issuing an SSL security certificate is to install Certbot on the server.

The python3-certbot-nginx installation package, which is located on the Debian Repository (Repository), allows us to install the Certbot plugin on Nginx. Before installing this package, we will update the list of packages.

sudo apt update

Then, using the following command, we install the desired packages.

sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Then install the python3-certbot-nginx package with the following command.

sudo apt install python3-certbot-nginx

Step 5 – Get the SSL security certificate

Certbot offers a variety of ways to get an SSL certificate, the Nginx plugin is a surefire way to get a certificate.

To get the SSL certificate, we use the following command.

sudo certbot --nginx -d example.com -d www.example.com

After executing this command, Certbot receives an email address and communicates with the Let’s Encrypt server to obtain the certificate.

If this connection is successful, Certbot will ask how to configure HTTPS.

Sample output:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

We will make our choice and after pressing Enter, the settings will be updated and Nginx will be reloaded to run the new settings.

With the following message, Certbot will confirm the correct installation of the security certificate.

Sample output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-15-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 6 – Setup automatic SSL renewal

Let’s Encrypt certification is only valid for 90 days. This has led users to need to automatically renew their security certification.

For this purpose, by adding the extension script to /etc/cron.d, we can perform the renewal process automatically.

After receiving the SSL in Step 5, the /etc/cron.d/certbot file is created to renew the SSL security certificate with the following contents.

cat /etc/cron.d/certbot

Sample output:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

The script runs twice a day and renews certificates that will expire within 30 days.

To check the renewal process, we can execute the following command manually.

sudo certbot renew --dry-run

If you do not receive an error, the automatic renewal process will be performed correctly.

Conclusion

In this tutorial, we learned how to install Nginx and configure its server blocks, as well as installing and renewing Let’s Encrypt automatically.

Reprint:https://community.hetzner.com/tutorials/install-and-secure-nginx-lets-encrypt-debian-10

Posted

in

by

admin

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *