How to Secure NGINX with Let's Encrypt on Ubuntu 20.04 LTS - Golang Web Development
In this Golang Web Development Series #6, we will learn how to install Certbot which is the free SSL certificate with auto-renewal every 3 months, and then switch the Cloudflare SSL option to Full (strict) which encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server with step by step guide here in Golang's Web Development Series.
Get Linode Account:
https://www.linode.com/?r=6aae17162e9...
Maharlikans Code Github:
https://github.com/maharlikanscode/go...
#MaharlikansCode
#GolangWebDevelopment6
#Certbot
#LetsEncrypt
#Nginx
#Ubuntu2004LTS
#GolangTutorial
#LearnGolangWebDevelopment
#Golang
#LifeAsSoftwareDeveloper
#Maharlikans
#FilipinoSoftwareDeveloper
If you go with extra mile for buying me a cup of coffee, I appreciate it guys: https://ko-fi.com/maharlikanscode
Official Certbot Instructions: https://certbot.eff.org/lets-encrypt/...
Nginx on Ubuntu 20.04
1. SSH into the server
SSH into the server running your HTTP website as a user with sudo privileges.
2. Install snapd
You'll need to install snapd and make sure you follow any instructions to enable classic snap support.
Follow these instructions on snapcraft's site to install snapd.
3. Ensure that your version of snapd is up to date
Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.
sudo snap install core; sudo snap refresh core
4. Remove any Certbot OS packages
If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.
5. Install Certbot
Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot
6. Prepare the Certbot command
Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
7. Choose how you'd like to run Certbot
Either get and install your certificates...
Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
Or, just get a certificate
If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly --nginx
8. Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run
The command to renew certbot is installed in one of the following locations:
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
Nginx Certbot SSL Configurations:
server {
Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name maharlikanscode.com www.maharlikanscode.com;
root /var/www/html/maharlikanscode.com/public_html;
location / {
First attempt to serve request as file, then
as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /static/ {
alias /var/www/html/maharlikanscode.com/public_html/static/;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|ttf|ttc|otf|eot|woff|woff2)$ {
expires 7d;
add_header Access-Control-Allow-Origin *;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/maharlikanscode.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/maharlikanscode.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.maharlikanscode.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = maharlikanscode.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name maharlikanscode.com www.maharlikanscode.com;
return 404; # managed by Certbot
}
