plenty of hacks - home

NGINX + certbot = auto-renewing TLS/SSL magic

Please allow me to show you a super-sweet setup. I have used this setup several times now and it has proven to be a simple and effective way to get sites up and running with A+ TLS configuration and auto-renewing certificates.

All of this is based upon Debian 10, but I am sure your favorite distribution will be very similar.

Assumptions:

Your DNS is pointing to your server.
Your domain is example.com and you want to also serve www.example.com.
Your public document root is /var/www/example.com/public
The application you're serving is running locally on port 3000.
You have enough knowledge and experience to modify values based upon your setup/needs.

First let's get some base requirements installed:

apt update
apt upgrade
apt install nginx certbot

Make your nginx site config and symlink it.

Important note: Comment-out the 2nd server block in your nginx config until you have the certificate generated.

Contents of /var/nginx/sites-available/example.com.conf:

server {
    server_name example.com www.example.com;

    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge/ {
        root /var/www/example.com/public;
        try_files $uri =404;
    }

    # I suggest un-commenting this line
    # to force redirects after your initial
    # TLS certificate.
    #return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/example.com/public;

    server_name example.com www.example.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;

    try_files $uri @proxy;

    location @proxy {
        proxy_pass http://localhost:3000;
    }

}

Symlink your site configuration:

ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

Restart nginx:

systemctl restart nginx

Run certbot to get your certificates:

certbot certonly --webroot --webroot-path /var/www/example.com/public -d example.com -d www.example.com --expand

Generate strong parameters for maximum TLS security:

openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096

Finale!

Now you can un-comment the 2nd server block in your nginx site configuration and restart nginx in order to enable TLS.

Restart nginx:

systemctl restart nginx

Test your site at SSL Labs and hopefully you see an A+ score!

One more thing.

Make sure you renew your certificate on a regular basis. I renew my certificates by entering a crontab like such (as root):

0 0 * * * certbot renew