How to Install Let’s Encrypt SSL Certificate in Nginx on Debian 11

Let’s Encrypt is a certificate authority that provides free SSL certificates for websites. However, it not only offers SSL certificates; it also automates certificate creation, validation, signing, implementation, and renewal of certificates.

Let’s Encrypt is the world’s largest certificate authority, used by more than 250 million websites. It was launched in November 2014 with the goal of all websites being secure and using HTTPS.

Currently, Let’s Encrypt supports auto installation of certificates on Apache, Nginx, Plex, and Haproxy.

Here, we will see how to install Let’s Encrypt SSL Certificate for Nginx on Debian 11.

Prerequisites

I recommend you set up the install Nginx web server on your system before you proceed further.
READ:How to Install LEMP Stack on Debian 11

Create Virtualhost

First, we will need to create an Nginx virtual host to serve the HTTP version of your website.

sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf

Use the below configuration for your website. Do remember to change the values based on your requirement.

server { server_name www.itzgeek.net; root /usr/share/nginx/www.itzgeek.net/; location / { index index.html index.htm index.php; } access_log /var/log/nginx/www.itzgeek.net.access.log; error_log /var/log/nginx/www.itzgeek.net.error.log; location ~ .php$ { include fastcgi_params; fastcgi_intercept_errors on; fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } 

Once you have created the virtual host configuration file, create a root directory to hold your website’s files.

sudo mkdir -p /usr/share/nginx/www.itzgeek.net/

Then, change the ownership and group of the directory.

sudo chown -R www-data:www-data /usr/share/nginx/www.itzgeek.net/

Finally, place the test HTML file on the document root of your domain.

echo "This is a test site @ www.itzgeek.net" | sudo tee /usr/share/nginx/www.itzgeek.net/index.html

Now, you will need to restart the Nginx service to re-read the configurations.

sudo systemctl restart nginx

Create / Update DNS Record

To generate the Let’s Encrypt SSL certificate for your domain, you will need to point your domain to your server IP. So, go to your domain registrar and create an A/CNAME record for your domain. For example, the below image shows the A/CNAME record for the domain www.itzgeek.net.

DNS records changes will take time to propagate. So, wait for few minutes to hours depends on the TTL you set for the DNS record.

Install Let’s Encrypt SSL Certificate For Nginx

Install Certbot

In addition to pointing a domain to your server IP, you will also need to install the Certbot ACME client on your system. The Certbot client handles certificate issuance and installation with no downtime.

Certbot is now available as a snap package for Debian operating system. So, first, install the Snapd package.

sudo apt update sudo apt install -y snapd 

Then, update the snapd to the latest version.

sudo snap install core; sudo snap refresh core

Finally, install the Certbot client using the snap command.

sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install Let’s Encrypt Certificate

Use the certbot command to create a Let’s Encrypt certificate and configure Nginx to use the certificate.

sudo certbot --nginx

Follow the interactive prompt and install the certificate.

<

pre>Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): admin@itzgeek.local https://www.itzgeek.net.

sudo nano /etc/nginx/conf.d/www.itzgeek.net.conf 

Add the below information at the end of the file.

# Redirect NON-WWW HTTP to WWW HTTPS server { if ($host = itzgeek.net) { return 301 https://www.itzgeek.net$request_uri; } server_name itzgeek.net; listen 80; return 404; } 

Then, restart the Nginx service.

sudo systemctl restart nginx 

Verify Let’s Encrypt Certificate

You can verify the Let’s Encrypt certificate by visiting your website.
http://your-http-web-site
OR
https://your-https-web-site
You should get the HTTPS version of your site now.

Test SSL Certificate

Test your Let’s Encrypt SSL certificate for any issues and its security ratings by going to the below URL.
https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net
Renew Let’s Encrypt Certificate

Let’s Encrypt certificates have a validity of 90 days, and it is highly advisable to renew the certificates before they expire. Thanks to the systemd service, which runs twice a day and automatically renews certificates that are about to expire.

But, I recommend you run the below command to simulate the automatic renewal of your certificate.

sudo certbot renew --dry-run

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.itzgeek.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

If the output confirms that the renewal is working correctly, the automatic renewal will happen as expected.

Sumber: disini

Wagiman Wiryosukiro

Petani Sistem Informasi, tukang las plugin & themes Wordpress. Co-Founder SistemInformasi.biz. Saat ini aktif sebagai Developer & kontributor di OpenMandriva Linux.

You may also like...

%d bloggers like this: