Recently i build (again) my website using Nginx and VPS hosted at UpCloud.com. So, after i set it up and running well on http, then next step is enable SSL to my site.
My VPS build in UpCloud with 10$/mo plan, that claims the fastest cloud vps:
$ 10 / mo
1 GB Memory1 CPU Core30 GB MaxIOPS2 TB Transfer
More than enough for my private blog. And, then i choose Ubuntu 16.04 LTS for my OS running Ghost Blog and Nginx.
Here we go!
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages.
$ sudo apt-get update$ sudo apt-get install software-properties-common$ sudo add-apt-repository ppa:certbot/certbot$ sudo apt-get update$ sudo apt-get install python-certbot-nginx
Let’s Get Started
Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:
$ sudo certbot --nginx
Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:
$ sudo certbot --nginx certonly
This will ask you some question that you have to fill. Go ahead and follow the procedure. You need to fill your valid email address for renewal and security notices.
For this question:
Which names would you like to activate HTTPS for?
Press c to cancel. Since Certbot currently does not support multiple server block/vhost
So we manually add our domain to support multiple server block/vhost.
$ sudo certbot --nginx -d waysquare.com -d www.waysquare.comCongratulations! You have successfully enabled https://waysquare.com andhttps://www.waysquare.comYou should test your configuration at:https://www.ssllabs.com/ssltest/analyze.html?d=waysquare.comhttps://www.ssllabs.com/ssltest/analyze.html?d=www.waysquare.comIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/waysquare.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/waysquare.com/privkey.pem Your cert will expire on 2018-01-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
You are done. The private key files is located at
if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
I use systemd for better usage and easy logging.
Lets create unit file both service and timer:
[Unit]Description=Let's Encrypt renewal[Service]Type=oneshotExecStart=/usr/bin/certbot renew --post-hook "/bin/systemctl restart nginx" --agree-tos
[Unit]Description=Twice daily renewal of Let's Encrypt's certificates[Timer]OnCalendar=0/12:00:00RandomizedDelaySec=1hPersistent=true[Install]WantedBy=timers.target
For more information about certbot renewal go to official certbot renewal documentation=https://certbot.eff.org/docs/using.html#renewal
Enable and start the timer
$ sudo systemctl daemon-reload$ sudo systemctl start renew-certbot.timer$ sudo systemctl enable renew-certbot.timer
Starting the timer is necessary because otherwise it wouldn’t be active until the next time you rebooted (assuming it was enabled, that is). You can verify that the timer has been started, its planned execution times, service logs, etc using the following commands:
$ sudo systemctl list-timers$ sudo journalctl -u renew-certbot$ sudo journalctl -u renew-certbot --since="yesterday"