Skip to content

Latest commit

 

History

History
229 lines (218 loc) · 5.54 KB

README.md

File metadata and controls

229 lines (218 loc) · 5.54 KB

How to Secure Nginx with Lets Encrypt on Ubuntu 20.04 with Certbot?

YouTube Tutorial

1. Create EC2 Instance in AWS Ubuntu 20.04 LTS

  • Create EC2 instance
    • Ubuntu 20.04
    • t3.micro (cpu cores > 1)
    • public subnet
    • enable public ip
  • Create Security Group nginx
    • open port 80, and 443
  • Create devops kep pair
  • Update permissions on devops key pair
    • Keys need to be only readable by you chmod 400 devops.pem

2. Install Nginx Ubuntu 20.04 LTS

  • SSH to the Ubuntu server
ssh -i devops.pem [email protected]
  • Update Ubuntu packages
sudo apt update
  • Check version of nginx to be installed
apt policy nginx
  • Check current versions of nginx here
  • Add nginx deb repository
sudo vi /etc/apt/sources.list.d/nginx.list
deb https://nginx.org/packages/ubuntu/ focal nginx
deb-src https://nginx.org/packages/ubuntu/ focal nginx

deb lines are relative to binary packages, that you can install with apt. deb-src lines are relative to source packages (as downloaded by apt-get source $package) and next compiled. Source packages are needed only if you want to compile some package yourself, or inspect the source code for a bug. Ordinary users don't need to include such repositories.

  • Update Ubuntu packages
sudo apt update
  • Add GPG key
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62
  • Update Ubuntu packages
sudo apt update
  • Check version of nginx to be installed
apt policy nginx
  • Install nginx
sudo apt install nginx=1.20.1-1~focal
  • Start nginx
sudo systemctl start nginx
  • Enable nginx
sudo systemctl enable nginx
  • Check nginx status
sudo systemctl status nginx

(Can't open PID file /run/nginx.pid (yet?) after start: Operation not permitted)

  • Go to browser

3. Nginx Setup Server Block

  • Check the main nginx config
cat /etc/nginx/nginx.conf
  • Check default nginx config
cat /etc/nginx/conf.d/default.conf
  • Create folder for our website
sudo mkdir -p /var/www/devopsbyexample.io/html
  • Update ownership
sudo chown -R $USER:$USER /var/www/devopsbyexample.io/html
  • Update permissions
sudo chmod -R 755 /var/www/devopsbyexample.io
  • Create a web page
  • vi /var/www/devopsbyexample.io/html/index.html
<html>
    <head>
        <title>Welcome to devopsbyexample.io!</title>
    </head>
    <body>
        <h1>Success!  The devopsbyexample.io server block is working!</h1>
    </body>
</html>
  • Create sites-available directory
sudo mkdir /etc/nginx/sites-available/
  • Create sites-enabled directory
sudo mkdir /etc/nginx/sites-enabled
  • Create nginx server block
sudo vi /etc/nginx/sites-available/devopsbyexample.io
server {
        listen 80;

        root /var/www/devopsbyexample.io/html;
        index index.html;

        server_name devopsbyexample.io www.devopsbyexample.io;

        location / {
                try_files $uri $uri/ =404;
        }
}
  • Add include statement
sudo vi /etc/nginx/nginx.conf
include /etc/nginx/sites-enabled/*;
  • Create a symlink
sudo ln -s /etc/nginx/sites-available/devopsbyexample.io /etc/nginx/sites-enabled/
  • Test nginx config
sudo nginx -t
  • Reload nginx config
sudo nginx -s reload
  • Create A records
  • Check DNS (if you are using cloudflare enable full strict by ssl/tsl>overview>full_strict)
dig devopsbyexample.io
dig www.devopsbyexample.io

4. Install Certbot on Ubuntu 20.04 LTS

  • Go to official certbot page
  • Go to install snap page
  • Check snap version
snap version
  • If you don't have it apt policy snapd and apt install snapd
  • Ensure that your version of snapd is up to date
sudo snap install core; sudo snap refresh core
  • Remove certbot-auto and any Certbot OS packages
sudo apt-get remove certbot
  • Install Certbot
sudo snap install --classic certbot
  • Prepare the Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
  • Check certbot version
sudo certbot --version

5. Secure Nginx with Lets Encrypt on Ubuntu 20.04 LTS

  • Test certbot
sudo certbot --nginx --test-cert
  • Open nginx block
cat /etc/nginx/sites-available/devopsbyexample.io
sudo certbot --nginx

sudo certbot renew --dry-run
  • Check systemctl times
systemctl list-timers

Clean Up

  • Delete EC2 instance
  • Delete security group nginx
  • Delete key pair devops
  • Remove A records

Links