How to configure HTTPS for Nginx with free SSL from Let’s Encrypt

This post will guide you how to configure HTTPS for Nginx server with SSL from Let’s Encrypt CA 100% free.

In a series about Nginx:

First of all, you can take a look at Let’s Encrypt to have a basic knowlege about this 100% free CA for your website here: Cấu hình free SSL cho website với Let’s Encrypt (phần 1)

This is a tricky version if your web server is behind firewalls and not posed to internet like a standalone VPS. If you have a VPS, just make it with simple commands as in this tutorial: Cấu hình free SSL cho website với Let’s Encrypt (phần 3). It’s very easy and straightforward so I dont mention here again.

Step 1: Generate cert only and verify domain by DNS challenge

Issue this command to generate SSL only and domain owner checking via DNS

certbot -d *.config9.com --manual --preferred-challenges dns certonly

Some more explain

  • – – manual: perform steps for domain verification yourself
  • – – preferred-challenges dns: specify way to verify domain
  • certonly: only generate cert

More detail on certbot command can be found here

You will see the screen like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.config9.com with the following value:

Gh9nXkuxNmaMUKaksksks887jsh9KkndcDWOmqi9u6A

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Step 2: Verifying domain owner

Go to domain manager page depends on your domain provider (namecheap, godaddy, …) and add one record Named = _acme-challenge, Type = TXT, Value = Gh9nXkuxNmaMUKaksksks887jsh9KkndcDWOmqi9u6A (the string above)

Related:  (https)Nginx --> (http)Play!. But request.secure is false

Once done, go back to terminal line and press enter to allow certbot to verify domain owner. Successful screen will look like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/config9.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/config9.com/privkey.pem
   Your cert will expire on 2019-08-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

One problem remains: The renewal does not work with the manual plugin as it runs in non-interactive mode. That means, this renew command will fail to execute

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/config9.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (config9.com) from /etc/letsencrypt/renewal/config9.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/config9.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/config9.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

3 thoughts on “How to configure HTTPS for Nginx with free SSL from Let’s Encrypt”

Leave a Reply

Your email address will not be published. Required fields are marked *