Not so long time ago, HTTPS connections were something you can meet only on a ‘big’ web-sites — like shops, banks, enterprises etc. They were not cheap to buy, and also required some knowledge to be properly applied.
Things changed (at least, for me) when a company named Let’s Encrypt started to provide SSL certificates for free. Their certificates had limited validity time (90 days instead of 1 year for ‘real’ certificates), but they also were not meant to be managed manually —there is a tool certbot
, which helps to obtain, apply and automatically renew certificates for as long, as you wish. Yep, for free.
Few years ago, when I tried LetsEncrypt for the first time, certbot
was not the easiest tool to use — it took me a good half of day to google, read, pray and work in a terminal.
But, yesterday, while moving my personal projects to a new VPS, I had to go though this process for a couple of domains and discovered, that things got much, much better since then.
So, ladies and gentlemen, here is the full set of instructions, how to retrieve an SSL certificate, apply it to your site (served with NGINX in Ubuntu 20.04), and set up automatic renewals:
# intall binaries
sudo apt-get install certbot python3-certbot-nginx
# request a certificate (it will be installed
# automatically, and renewals will be set up too)
sudo certbot --nginx -d yourhost.com
You will be asked a few simple questions (your email address, service agreement etc), then certbot
will do it job, and that’s it. Magic!*
Another important thing I’ve discovered is, that in case you’ve lost your certificates, or even have them on another server but don’t want to bother with transferring to the one — it’s totally OK to just run the certbot
as shown above. Though, there is a limit of 5 re-issues of the same certificate per week, so keep it in mind.
* Of course, it’s not magic. Magic does not exist. certbot
analyzes your NGINX configs, temporarily updates them to check if those are configs of the domain you’ve requested a certificate for, and in case of success updates them again with the the parts related to HTTPS. And also sets up periodic task for automatic ceritificates renewal.