Home Contact About Blog ClaudioBrt
HOW TO SECURE NGINX WITH LET'S ENCRYPT ON THE RASPBIAN STRETCH OS
--

The problem we have is, enabling HTTPS on our websites or web applications without raising the costs or having to install any extra dependencies directly to our host. We will do this with by using Let's Encrypt.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at anytime. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites.

GETTING STARTED

To follow this tutorial, you will need:

- SSH access to the Raspberry Pi
- An NGINX server configured to run on HTTP
- A registered domain

STEP 1: POINTING DOMAIN NAME SETUP

First step, we will need to point the domain name to our host's IP. In that way, we will assure our ownership over the domain.

The way to do this is to point the domain name to where the host is and placing there proper configurations to accept incoming requests.

Here is an example of pointing domain names using the advanced DNS settings on Namecheap which is the domain registrar I use.

  Type     Host       Value         TTL
A Record    @      (IPAddress)    Automatic

STEP 2: MAKE SURE THE SYSTEM IS UP TO DATE

To do so, open a Terminal window and SSH into your Pi. Once you are in type the following commands:

sudo apt-get update


sudo apt-get upgrade -y


STEP 3: INSTALLING AND RUNNING LET'S ENCRYPT

Now we are ready to follow the instructions for installing Certbot, therefore type the following commands:

sudo apt-get install certbot


With Certbot installed we can finally get an SSL certificate for our Raspberry Pi from Let's Encrypt. Make sure /var/www/4-bit.net points to a working website directory that can be reached from the internet. Also, make sure you replace 4-bit.net with your domain name.

certbot certonly --webroot -w /var/www/4-bit.net -d 4-bit.net -d www.4-bit.net


After running these commands, you will be prompted to enter some details, such as your email address. These details are required for Let's Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.

Once you have filled out the required information, it will proceed to grab the certificate from Let's Encrypt.

If you run into any issues make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are unblocked.

The certificates that are grabbed by the certbot client will be stored in the following folder. Of course, swapping out 4-bit.net with your own domain name.

/etc/letsencrypt/live/4-bit.net/


You will find both the full chain file (fullchain.pem) and the certificate's private key file (privkey.pem) within these folders. Make sure you don't allow others to access these files as they are what keep your SSL connection secure and identify it as a legitimate connection.

STEP 4: SETTING NGINX CONFIGURATIONS

Begin by opening your NGINX configuration file. These are typically stored in /etc/nginx/ or /etc/nginx/sites-available/

Once you have found your configuration file, open it up using your favorite text editor, mine, for instance, is nano. Once you are within the file search for a text block like what is display below. Make sure you swap out 4-bit.net with the domain name that you are using.

server { listen 80 default_server;
listen [::]:80 default_server;
root /var/www/4-bit.net;

index index.html;

server_name 4-bit.net ;

location / {
autoindex on;
try_files $uri $uri/ =404;
}
}


To this block of code, we will need to make some changes. Follow my steps and read my explanations of why we are making the change below.

Find

listen [::]:80 default_server

Add Below

listen 443 ssl;

Find

server_name 4-bit.net;

Add Below

ssl_certificate /etc/letsencrypt/live/4-bit.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/4-bit.net/privkey.pem;

This change tells NGINX where to find our certificate files. It will use these to set up the SSL/HTTPS connection.

The private key is what secures the actual connection only your server can read and see this file, and this file should be kept secure otherwise people could potentially intercept and decrypt your traffic.

The fullchain contains all the information needed to talk with the server over the HTTPS connection as well as the information needed to verify it is a legitimately signed SSL file.

With all those changes done, you should end up with something similar to what is displayed below. Of course, make sure you replaced 4-bit.net with your domain name.

Once you are satisfied that you have entered the new data correctly, you can save and quit out of the file and then restart NGINX, so it loads in the new configuration.

To restart NGINX just type the follwing command:

sudo service nginx reload


server { listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
root /var/www/4-bit.net;

index index.html;

server_name 4-bit.net ;

ssl_certificate /etc/letsencrypt/live/4-bit.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/4-bit.net/privkey.pem;

location / {
autoindex on;
try_files $uri $uri/ =404;
}
}

You should now have a fully operational HTTPS connection for your NGINX web server utilizing the certificate we generated with Let's Encrypt.

--
01100010 01111001 00100000 00100000 01000011 01101100 01100001
01110101 01100100 01101001 01101111 01000010 01110010 01110100