Install Let's Encrypt on a Cloud Server with nginx and certbot (certonly)

Testez-le maintenant pour 1 euro seulement !

Vous avez de grands projets d’hébergement avec beaucoup de ressources ? Avec le CloudServer (VPS) de hosting.fr, ce n’est pas un problème. Grâce à notre vaste gamme d’outils d’hébergement, vous bénéficiez d’une liberté absolue. Bien entendu, vous pouvez choisir librement le système d’exploitation en appuyant sur un bouton.

Réserver un serveur cloud maintenant

Introduction

To use Let’s Encrypt certificates without Certbot modifying the web server configuration, it is necessary to properly prepare the web server for the HTTP challenge.

Prerequisites

You have a hosting.fr Cloud server with a valid DNS record, for example demo.mustermann-domain.fr.
Privileged shell access on the system.

Install Packages

apt update
apt install nginx certbot

Configure Nginx

Create a directory for HTTP challenges

mkdir /var/www/letsencrypt

Create an Nginx snippet to include in different vhosts under /etc/nginx/snippets/letsencrypt.conf with the following content

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
}

Modify the configuration for the vhost (for example under /etc/nginx/sites-enabled/demo.mustermann-domain.fr)

server {
    listen 80;
    # if the AAAA record is set
    listen [::]:80;
    server_name demo.mustermann-domain.fr;
    include snippets/letsencrypt.conf;
    location / {
        return 301 https://$server_name$request_uri;
    }
}

Then, check the Nginx configuration with nginx -t for accuracy, then restart the web server (systemctl restart nginx.service)

Configure Certbot

If you do not wish to receive reminder emails for expiring certificates, you can also run certbot without an email address (--register-unsafely-without-email)

certbot certonly --webroot -w /var/www/letsencrypt/ -d demo.mustermann-domain.fr --register-unsafely-without-email

After certbot has completed, check with systemctl list-timers if the certbot.timer is active.

Integrate Certificates into Nginx

If you have not yet integrated SSL/TLS certificates into Nginx, you can use Mozilla’s SSL Configuration Generator as a guide. If the same SSL configuration is to be used in multiple vhosts, it is also advisable to use a snippet. To do this, create the file /etc/nginx/snippets/mozilla-modern.conf with the following content

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # approximately 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 95.129.51.51;

Then, the file /etc/nginx/sites-enabled/demo.mustermann-domain.fr must be extended to use the certificates

server {
    server_name demo.mustermann-domain.fr;

    include snippets/mozilla-modern.conf;

    ssl_certificate /etc/letsencrypt/live/demo.mustermann-domain.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/demo.mustermann-domain.fr/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/demo.mustermann-domain.fr/fullchain.pem;

    . . .

}

Finally, check the Nginx configuration again with nginx -t for accuracy and restart the web server (systemctl restart nginx.service)

References

Don't hesitate to subscribe to our newsletter

Thank you for subscribing to the hosting.fr newsletter.

Introduction Cloud Server Nginx Certbot SSL Configuration