HTTPS setting in using certbot (with Nginx)

Hi, I’m Lovefield.

This article is about HTTPS settings for using Certbot. I'm setting HTTPS in my blog, but this is my first time writing an article.

Environment

• Ubuntu 22.04
• Nginx

First, we need snap to install Certbot. If you didn’t have snap, install snap. Using next command for using last version:

sudo snap install core && sudo snap refresh core

Install Certbotif snap is installed or updated.

>sudo snap install –classic certbot
certbot 1.32.1 from Certbot Project (certbot-eff✓) installed

Using next command for prepare the Certbot command:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Check the Certbot command.

>certbot –version
certbot 1.32.2

If the version information comes out well, we are ready to use Certbot. Nginx's config must have a server block based on 80 ports before using the following command.

server {
	listen 80;
	server_name dico.me;

	location / {...}
}

Use the HTTPS setting command.

certbot --nginx

If this is your first run, you must set Email and accept the Terms of Service and Terms of use.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): your@email.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: dico.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for dico.me

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/dico.me/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/dico.me/privkey.pem
This certificate expires on 2023-03-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for dico.me to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://dico.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Nginx config is changed when the above process is over. You can leave this part as it is, but I personally tend to organize it neatly.

server {
	listen 80;
	server_name dico.me;
	return 301 https://dico.me
}

server {
	listen 443 ssl http2;
	server_name dico.me;

ssl_certificate /etc/letsencrypt/live/dico.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dico.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location / {...}	
}

Correct the Nginx settings as shown above. The HTTPS setting of the site is finished. Restart Nginx to take effect.

sudo service nginx restart

After restarting Nginx, you will be able to make sure that you have a good connection to https://dico.me. HTTPS setup is done well, but there are additional tasks that need to be done. Automate the update of certificates. Each certificate has its own expiration date. After this expiration, the certificate becomes invalid and alerts you if the browser accesses the site. In order to avoid this situation, you need to set up the certificate to update automatically.

sudo certbot renew --dry-run

Use the above command to register with Ubuntu's cron job.

Use the following command to verify that the registration is successful.

sudo certbot renew --dry-run

If “snap.certbot.renew.service” exists in the ACTIVATES portion of the item, it is registered normally well.