Install Let’s Encrypt ssl on nginx running Python Django Flask
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates. We are using Certbot to obtain a free SSL certificate for Nginx with Ubuntu set up. It’s better to use separate Nginx server block file instead of the default file.
Before proceeding with installation please make sure you have
- A fully registered domain name.
- An A record and www record for the required domain name.
- Nginx server block for the required domain ( /etc/nginx/sites-available/domain.conf )
Step 1 — Downloading the Let’s Encrypt Client
The first thing you need to do is download and install the Let’s Encrypt client, certbot. You can install that using following commands in Ubuntu
sudo apt-get update sudo apt-get install -y git sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
Certbot is now ready to use, but we need to configure SSL for Nginx.
Step 2 — Confirming Nginx’s Configuration
Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for. By default, the server block will be under the following location, you can use VI editor or NANO editor to open this file
Find the existing server_name line. It should look like this:
server_name domainname.com www.domainname.com
If it does, exit your editor and move on to the next step.
After you have successfully verified you need to make sure nginx configuration syntax is correct and valid using the command
sudo nginx -t
If you get an error, reopen the server block file and check for any mistakes, Once your configuration file’s syntax is correct, reload Nginx to load the new configuration
sudo systemctl reload nginx
Step 3 — Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
sudo certbot --nginx -d domain.com -d www.domain.com
If this step failed with the following error, make sure the domain has no IPv6 records ( AAAA record) Let’s Encrypt prefers IPv6 over IPv4.
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored
Your certificates are downloaded, installed, and loaded. Try reloading your website using https://
Step 4 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes.