Creating Multiple LetsEncrpt Certificates for Multiple Domains using Nginx on Ubuntu 16.10

Just recently I had to migrate to Nginx web server from Apache2. For me, Apache2 is just too complected. After few months with Apache2, and after struggling with configuring basic settings, I switched.

This brief tutorial is going to show you how I managed to get LetEncrypt installed on a single Ubuntu server with Nginx running multiple website over HTTPS.

On Ubuntu servers with Nginx installed, the steps below can get you going with LetsEncrypt quickly.  This tutorial assumes you already have Nginx webserver installed and functioning on Ubuntu ok and is able to serve pages. When you’ve confirmed that, continue below to create LetsEncrypt certificates for Nginx to use on Ubuntu servers.

STEP 1: YOU’LL NEED GIT TO DOWNLOAD LETENCRYPT PACKAGES.

To get LetEncrypt packages on your server from github repositories, you must install git program. To do that run the commands below.

sudo update
sudo apt-get install git

After installing git package, run the commands below to download LetsEncrypt project codes.

cd /opt && git clone https://github.com/letsencrypt/letsencrypt

The commands above will put you in the /opt directory and and download LetsEncrypt packages.

Next, change into LetsEncrypt directory by running the commands below.

cd letsencrypt

Before you can obtain certificates for your sites, some required packages must be installed. LetsEncrypt uses scripts provided by the clients to install these dependencies. Run the commands below to get these dependencies installed.

./letsencrypt-auto --help

Wait until all the dependencies are installed. After they’re installed… you’ll be shown some of the commands to use to obtain certificates for your domains and sites.

STEP 2: OBTAINING CERTIFICATES FOR YOUR SITES

After installing the required packages for LetsEncrypt scripts to function, continue below to obtain certificates. LetsEncrypt works like traditional CAs that must validate that you own the domains you’re obtaining certificates for via the server public key.

The process of validating that you own the domains can be done by one of the two methods below:

  1. Validating the DNS records for the domain
  2. Provisioning an HTTP resource under the well-known URL on the domain.

The latter is the most popular ways to validate that you own domain.

Again, at this point, you should already have Nginx functioning. If Nginx isn’t able to serve packages from the root directory you may not be able to validate that you own the domains and server it’s assigned to.

When you’re ready, run the commands below to obtain a certificate for the domains specified in the command options.

sudo ./letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com -d www.example.com

When you run the commands above, you’ll be asked to enter your email address and agree to the terms. Once you’re done, and if everything is validated, your new certificate will be installed in the /etc/letsencrypt/live/<domain name>/ directory.

The –webroot option for the commands above automates obtaining certificate process from the CA. LetEncrypt uses many different plugins to facilitate with this process and webroot can use used with the certonly command option to request and renew certificates for domain hosts. You must specify the site root directory with the –webroot option. The root directory is where the content of the website are served from.

Do this steps above multiple times for each domain and all the domains will live the in the /etc/letsencrypt/live/ directory followed by the domain names.

After obtaining the certificates, open your Nginx site config file and add these lines, then save.

sudo nano /etc/nginx/conf.d/default.conf

Add these lines and save.

# HTTPS server
server {
   listen 443 ssl http2;
   server_name example.com www.example.com;
   ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   location / {
      root /var/www/html/example.com;
      index index.php index.html index.htm;
   }
......
......
......
}

Save the file and you’re done.

Test Nginx configuration settings by running the commands below.

sudo nginx -t

If Nginx comes back with no errors, then you’re good. You can now begin to use HTTPS for your site.

Do not forget to do a redirect of all HTTP traffic to HTTPS.

Add this server block into site config file above the HTTPS section to redirect all traffic to HTTPS:

server {
   listen 80;
   server_name example.com www.example.com;
   return 301 https://$server_name$request_uri;
}

STEP 3: RENEWING YOUR CERTIFICATES

To renew your certificate, you run the same command used to create the certificate above from LetsEncrypt directory.

sudo ./letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com -d www.example.com

If you don’t want to manually do this everytime your certificate expires, you can create a Cron  job to run it.

Below is a script I used to automate renewal my certificates.

#!/bin/sh
if ! ~/letsencrypt/letsencrypt-auto certonly -tvv --keep --webroot -w /var/www/html/example.com -d example.com -d www.example.com > /var/log/letsencrypt/renew.log 2>&1 ; then
   echo Automated renewal failed:
   cat /var/log/letsencrypt/renew.log
   exit 1
fi
nginx -s reload

Save the script in a file, then make the file executable.. by running the commands below.

sudo chmod +x  file_name

Now, run a cron job to execute the file daily so you don’t every be left with expired certificates.

You may also like the post below:

Professor Professor