SSL Certificate Setup

Install Certbot

sudo apt update
sudo apt install certbot python3-certbot-nginx

Obtain Certificate

# Or for a single domain
sudo certbot --nginx -d example.com

# Install certificate and auto-configure Nginx
sudo certbot --nginx -d example.com -d www.example.com

Auto Renewal Setup

# Test auto-renewal
sudo certbot renew --dry-run

# Check renewal timer
systemctl list-timers | grep certbot

Manual Nginx Configuration

If you prefer manual Nginx configuration:

server {
    listen 80;
    server_name example.com www.example.com;
    
    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    
    # SSL Configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    
    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    # HSTS (uncomment if you're sure)
    # add_header Strict-Transport-Security "max-age=63072000" always;
    
    root /var/www/example.com;
    index index.html;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Common Commands

# List certificates
sudo certbot certificates

# Delete certificate
sudo certbot delete --cert-name example.com

# Force renewal
sudo certbot renew --force-renewal -d example.com

# Test Nginx config after changes
sudo nginx -t
sudo systemctl reload nginx

Troubleshooting

  1. Check certificate path:
ls -l /etc/letsencrypt/live/example.com/
  1. Verify Nginx config:
sudo nginx -t
  1. Check Certbot logs:
sudo tail -f /var/log/letsencrypt/letsencrypt.log

Best Practices

  • Always backup Nginx configuration before changes
  • Use strong SSL settings
  • Enable HSTS only after thorough testing
  • Keep regular backups of /etc/letsencrypt
  • Monitor certificate expiration dates
Edit this page on GitHub
Table of Contents