Always SSL for free “https with Nginx”

2023年1月23日

Contents

1. Let's Encrypt
2. Install certbot
3. Create a certificate with certbot
4. Change nginx settings
5. Certificate auto-renewal settings
6. Conclusion

We will introduce how to always use SSL for your website (Nginx). For HTTP, a warning is displayed in Google Chrome, so it is essential to make the website SSL-enabled. According to Google, it is written that SEO is affected by whether or not a web page is SSL-enabled. It is also stated that the quality of the certificate is currently irrelevant, so it is important for those who have a web page to convert it to SSL . Therefore, we will introduce a method to always convert to SSL for free and automatically update the SSL certificate on a regular basis.

Let’s Encrypt

Certificates are available free of charge. That is by using Let’s Encrypt. Let’s Encrypt is run by ISRG, a US non-profit organization. Since it is a certificate that can be used free of charge, people who operate web pages on their own have no choice but to use it.

Install certbot

First, install certbot. It’s easy because you can do it with one command. As a prerequisite, use the yum command on CentOS.

sudo yum -y install certbot

Create a certificate with certbot

If you can type the certbot command, you can create a certificate with the following command. Although you can enter interactively, you can also create a certificate by entering only one line. Since certbot uses port 80, if there is a web server using port 80, it is necessary to stop it in advance.

sudo systemctl stop nginx.service
sudo certbot certonly --standalone -d example.work -m admin@example.work --agree-tos -n
sudo systemctl start nginx.service

By the way, if you are using port 80, this error will occur.

Problem binding to port 80: Could not bind to IPv4 or IPv6.

The certificate will have four files in “/etc/letsencrypt/live/example.work/". Among them, we use the following two.
・fullchain.pem: certificate
・privkey.pem: certificate private key

Change nginx settings

Set the certificate created by the certbot command to nginx. Add SSL settings to the configuration file (/etc/nginx/conf.d/default.conf, etc.). The setting addition is a setting to redirect http to https and a setting to enable access with https with the certificate created this time .

Below are additional settings.

server {
    listen 80;
    server_name example.work;
    return 301 https://$host$request_uri;
}
server {
    listen       443 ssl;
    ssl_certificate         /etc/letsencrypt/live/example.work/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/example.work/privkey.pem;
}

Certificate auto-renewal settings

If you can get the certificate on the command line, you can automatically update the certificate just by setting cron, and you can always support SSL. Depending on the environment, here we will set cron to execute commands as the root user. The SSL update can be done within 30 days of the expiration date, so I try to check it twice a month.

$ sudo crontab -u root -e
0 1 1 * * systemctl stop nginx.service
1 1 1 * * certbot renew
3 1 1 * * systemctl start nginx.service
0 1 20 * * systemctl stop nginx.service
1 1 20 * * certbot renew
3 1 20 * * systemctl start nginx.service

Conclusion

We’ve shown you how to turn your website into SSL for free. It’s easy, so if you have a web page, I think you should try it.

Server