Tag Archives: ssl

10
07
17
 1 Comment

Securing Nginx with Let’s Encrypt on Ubuntu 16.04

Posted by | Nginx, Ubuntu | Tagged |

First we need to install certbot utility:

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx

After that, we can easily generate SSL certificates for all the domains listed in Nginx ‘server_name’ attributes in alive (working) virtual hosts. The examples are:

certbot --nginx certonly -d slogpost.ru -d www.slogpost.ru
certbot --nginx certonly -d psiholog-s-vami.ru -d www.psiholog-s-vami.ru
certbot certonly --nginx --cert-name sharlines.com -d sharlines.com -d www.sharlines.com
certbot certonly --nginx --cert-name developernote.com -d developernote.com -d www.developernote.com -d herb.developernote.com -d mastermag.developernote.com -d geographx.developernote.com -d geographx.net -d www.geographx.net -d xn--80acc2atiigge7h.xn--p1ai -d www.xn--80acc2atiigge7h.xn--p1ai -d git.developernote.com -d gitweb.developernote.com

(do not forget to run the commands above each time you add or remove a subdomain)

We cannot use wildcard domains line *.developernote.com with Let’s Encrypt, so we should list all the subdomains. And I do not see anything wrong in combining multiple domains in a single certificate.

To remove the certificate we do something like this:

certbot revoke --cert-path /etc/letsencrypt/live/developernote.com/fullchain.pem
certbot delete --cert-name developernote.com

Updating all the generated certificates:

certbot renew

After changing the website URL from HTTP to HTTPS, probably it makes a sense to update all the hyperlinks in MySQL database:

show tables;
show columns from wp_posts;
SELECT ID, post_title, post_date, post_name FROM wp_posts WHERE INSTR(post_content, 'http://slogpost.ru') <> 0;
UPDATE wp_posts SET post_content=REPLACE(post_content, 'http://slogpost.ru', 'https://slogpost.ru') WHERE INSTR(post_content, 'http://slogpost.ru') <> 0;
UPDATE wp_posts SET post_content=REPLACE(post_content, 'http://developernote.com', 'https://developernote.com') WHERE INSTR(post_content, 'http://developernote.com') <> 0;

The final step is adding certbot-renew.sh file to /etc/cron.monthly with the following content:

certbot renew
service squid reload

It seems like the service … command is completely ignored. Nothing in syslog, nothing in nginx logs. I switched to using

certbot renew
systemctl reload squid

instead, and this seems to work.