SSL Enabled With Nginx and Certbot(Let’s Encrypt)
What is Let’s Encrypt?
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group.
It provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days.
What is HTTP?
HTTP stands for Hypertext Transfer Protocol. HTTP uses TCP(Transmission Control Protocol) to send data packets between client and server. Port 80 is generally used for HTTP.
What is HTTPS?
HTTPS stands for Hypertext Transfer Protocol Secure. HTTPS also uses TCP(Transmission Control Protocol) to send data packets between client and server. Port 443 is generally used for HTTP.
HTTPS is encrypted in order to increase security of data transfer. HTTPS uses an encryption protocol called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure.
What is Certbot?
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates to enable HTTPS.
Certbot offers a variety of ways to validate your domain, fetch certificates, and automatically configure Apache and Nginx.
All the certificates are manged by Certbot, so we don’t need to take care of it.
What is Nginx?
Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
How to configure your application?
Prerequisites
- Ubuntu server
- Domain name(DNS) pointed at server.
- Go to your server. Here I am using SSH.
ssh <USER_NAME>@<SERVER_IP>
2. Install Nginx or Apache HTTP server. Here I am using Nginx.
sudo apt update
sudo apt install nginx
When we change nginx configuration, we must restart nginx service using below command.
sudo systemctl restart nginx.service
3. Install Certbot.
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get updatesudo apt-get install certbot python3-certbot-nginx
4. Run Certbot.
This command is turning on HTTPS access in a single step. This command gets a certificate and edit your Nginx configuration automatically.
sudo certbot --nginx
When we run above command, we must provide the domain name. That is why we need a domain name for pointing the server.
After running above command, /etc/nginx/sites-enabled/default file look like this.
It is listening 443 port and automatically configured the certificates by Certbot. We didn’t do anything :) . After that we can access domain name with HTTPS.
There is another Certbot command.
sudo certbot certonly --nginx
If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, run above command.
5. Renewal Certificates
In Let’s Encrypt, the certificate is valid for 90 days. So we need to renew certificates before they expire. In Linux servers, we can use cronjob.
Another good thing is, Certbot packages come with a cronjob. So that will renew the certificates. In here also , we don’t do any thing on cronjob.
This defined cronjob is existing in /etc/cron.d/certbot.
There is another command to test automatic renewal certificates.
sudo certbot renew --dry-run
Add Reverse Proxy
In here I am using few dockerized micro services such as web, Rest API and etc. So we need public accessible for web and API with HTTPS support. That is why we come up with Certbot.
We can use Nginx as reverse proxy. We can define several proxy pass within the nginx configuration. After that request comes to the nginx, it is passed the request to appropriate docker container.
When we call “https://<DNS_NAME>” , it should be redirect that request to the docker web container.
location / {
proxy_pass http://172.17.0.6:4200;
}
When we call “https://<DNS_NAME>/api” , it should be redirect that request to the docker REST API container.
location /api {
proxy_pass http://172.17.0.4:7654;
}
This is the /etc/nginx/sites-enabled/default file with adding reverse proxy.
After changing nginx configuration we must restart nginx service.
sudo systemctl restart nginx.service
After that we can access web and REST API by using HTTPS with DNS.
Within web application, we are using REST API. When access that API, server is like below image.
References
3. https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html
4. https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx.html