Setting up HTTPS on your nginx server

By now you've heard about Virtual Private Servers and you probably have one already. But if you shop around for secure certificates for serving your data over https, they are quite pricey.

Well... Not anymore!

The Let's Ecrypt certificate authority is issuing certificates for everyone... For free. Now you can have a https server without paying a dime for the certificate.

First things first, the certificated issued by Let's Encrypt are valid only for 90 days. So, you'll need to set up a routine to update your server certificates from time to time.

We'll be using Certbot as our way to obtain and install certificates in our nginx server.

Installing Certbot

Using debian jessie, we need to add the backports repository so we can download and install certbot trough apt-get in two ways:

  1. as root
# echo "deb http://ftp.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/backports.list
  1. as another user using sudo
$ echo "deb http://ftp.debian.org/debian jessie-backports main" | sudo tee -a /etc/apt/sources.list.d/backports.list

You can find out more about adding backports in the debian official page.

After that, remember to update the apt cache and install the certbot binary

# apt-get update
# apt-get install certbot -t jessie-backports

Creating your certificate

Make note of your web root folder. It will be needed by certbot (and Let's Encrypt) to verify that you are indeed the owner of your domain. In this tutorial we're assuming that you are serving both www.yourdomain.com and yourdomain.com on the same folder. You can also add as many domains as you like (up to 20), by adding more parameters.

Using the web root of /var/www/yourdomain.com/public, we'll ask for certbot to create and download our certificates:

certbot certonly --webroot -w /var/www/yourdomain.com/public -d yourdomain.com -d www.yourdomain.com

If you run many domains on a single server, you can run that command as many times as you like, for each of your domains, just changing the appropriate parameters.

Your certificates are saved at /etc/letsencrypt/live/yourdomain.com.

Configuring nginx

Now that we have our certificates, we need to tell nginx to serve a https version of our page. Edit your site configuration an add the following lines inside your server {} section

# Serve files in https port
listen 443 ssl; #ipv4
listen [::]:443 ssl; #ipv6

# Provide the path for your full certificate chain and your private key.
# Both of these files are provided by let's encrypt
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

Now you can test your configuration with nginx -t and, if all is well, restart your server with services nginx restart and you can start using your site trough https.

Updating certificates

Updating ALL certificates on your server is as simple as a single command:

# certbot renew

This will renew all certificates that are present on your server and were created by certbot automatically. For good measure, a cron job with the command is a good way to make sure that your certificates will never expire.

Thu, June 23rd, 2016