Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Install and Secure Nginx with Let’s Encrypt in Debian 10

profile picture
Author
David
Published
2020-04-17
Time to read
9 minutes reading time
Table of Contents

Introduction

In this tutorial, we will learn how to install nginx on Debian 10, how to install Let’s Encrypt as an SSL certificate issuer, and how to automatically update SSL.

Nginx web service is one of the most popular web servers in the world and is used as a web service in large and highly visited websites.

Let’s Encrypt is an SSL or CA security certificate issuer that is free to install on the web server and use as an HTTPS protocol.

Prerequisites

  • A server with a public IPv4 address (Cloud or Dedicated).
  • SSH access with root privileges.
  • A registered domain with DNS records as follows:
    • A record for example.com and a reference to the server's IPv4 address.
    • A record for www.example.com and a reference to the server's IPv4 address (optional).

Note: example.com is your domain address (for example, hetzner.com).

Step 1 - Install Nginx Web Server

nginx package is available by default on Debian and can be installed on the server using the Debian package management.

Before that, we need to update the local packages index using the following command.

apt update

We can now install nginx using the following command.

apt install nginx

To confirm the installation, press Enter and then nginx and related packages will be installed.

Step 2 - Check the Web Server

After installing nginx, the web server has already started and must work properly.

Using the following command, we can check the current state of nginx.

systemctl status nginx

Sample output:

● nginx.service - A high-performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-11-30 13:56:28 UTC; 27s ago
     Docs: man:nginx(8)
 Main PID: 12114 (nginx)
    Tasks: 2 (limit: 2296)
   Memory: 4.2M
   CGroup: /system.slice/nginx.service
           ├─12114 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─12115 nginx: worker process

As you can see above, the web service has been successfully started.

To verify the correct operation, we can enter the IP address of our server in a browser.

Step 3 - Configure Server Block Settings

When using nginx web server, we can use server blocks (similar to virtual hosts in Apache) to configure details and host more than one domain on the server.

The nginx web server in Debian 10 has an active server block by default in /var/www/html. This configuration is suitable for using a site on the server, but if we need to manage multiple sites on the server, we need changes to control the websites.

Create a directory using the following command.

mkdir -v -p /var/www/example.com/html

Then use your favourite editor to create a /var/www/example.com/html/index.html file with the following content:

Success! Welcome to "example.com".

In order for nginx to be able to process and deliver this content, we need to create a server block with the correct instructions that point to our created directory. To not change the default configuration, we create a new configuration file with /etc/nginx/sites-available/example.com.

Add the following contents and settings to the created file.

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    root /var/www/example.com/html;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

In the following, we will add a link from the config file created to the active directories.

ln -v -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now the created server block has been activated and configured.

Using the following command, we make sure that there is no error in making changes and configurations.

nginx -t

If the settings are done correctly, we will encounter the following output.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

After configuring, reload nginx to apply the changes.

systemctl reload nginx

Now, your nginx can serve static files for example.com and www.example.com domains via HTTP.

Step 4 - Install Nginx Plugin for Certbot

The first step in using Let’s Encrypt and issuing an SSL security certificate is to install Certbot on the server.

The python3-certbot-nginx installation package, which is located on the Debian repository, allows us to install the Certbot plugin on nginx as well as all dependencies including Certbot itself.

By running the following command, we install the desired packages:

apt install python3-certbot-nginx

Step 5 - Get the SSL Security Certificate

Certbot offers a variety of ways to get an SSL certificate, the nginx plugin is a surefire way to get a certificate.

To get the SSL certificate, we use the following command.

certbot run --nginx -d example.com,www.example.com
  • run — A subcommand to obtain and install the certificate.
  • --nginx — Use the Nginx plugin for authentication and installation.
  • -d DOMAINS — Comma-separated list of domains to obtain a certificate for.

After executing this command, Certbot receives an email address and communicates with the Let’s Encrypt server to obtain the certificate.

If this connection is successful, Certbot will ask how to configure HTTPS.

Sample output:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

We will make our choice and after pressing Enter, the settings will be updated and nginx will be reloaded to run the new settings.

With the following message, Certbot will confirm the correct installation of the security certificate.

Sample output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2023-02-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, your nginx can serve static files for example.com and www.example.com domains via HTTPS.

Step 6 - Setup Automatic SSL Renewal

Let’s Encrypt certification is only valid for 90 days. This has led users to need to automatically renew their security certification.

For this purpose, by adding the extension script to /etc/cron.d, we can perform the renewal process automatically.

After receiving the SSL in Step 5, the /etc/cron.d/certbot file is created to renew the SSL security certificate with the following contents.

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

The script runs twice a day and renews certificates that will expire within 30 days.

To check the renewal process, we can execute the following command manually.

certbot renew --dry-run
  • renew — A subcommand to renew all previously obtained certificates that are near expiry.
  • --dry-run — An option to test the "renew" subcommand without saving any certificates to disk.

If you do not receive an error, the automatic renewal process will be performed correctly.

Conclusion

In this tutorial, we learned how to install nginx and configure its server blocks, as well as install and renew Let’s Encrypt automatically.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue

Discover our

Dedicated Servers

Configure your dream server. Top performance with an excellent connection at an unbeatable price!

Configure now
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue