Securing Nginx on Debian 10

25 May, 2020 - Reading time: 4 minutes

Let’s Encrypt is a Certificate Authority (CA) that provides a easy way to obtain and install a free TLS/SSL certificates, which enables encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most of the required steps.

In this tutorial, I'll show you how use Certbot to obtain a free SSL certificate for Nginx on Debian 10 and set up your certificate to renew automatically.

This tutorial will use a separate Nginx server block file instead of the default file.

Prereqs

  • A Debian 10 server, set up with Nginx, along with a sudo non-root user and a firewall (you can follow my previous article here if you dont have this configured).
  • A registered domain name. Use Namecheap or similar if you dont have one.
  • The 2 following DNS records pointing to the public ip address of your Debian 10 server.
    1. An A record with [domain_name] pointing to the public IP address.
    2. An A record with www.[domain_name] pointing to the public IP address.

Step 1 — Installing Certbot

  1. Run sudo apt update to update your sources.
  2. Run sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface to install the dependencies.
  3. Run sudo apt install python3-certbot-nginx to install certbot.

Step 2 - Confirming Nginx’s Configuration

  1. Run sudo nano /etc/nginx/sites-available/[domain_name] to check your server block.
  2. Optional: Run sudo nginx -t and sudo systemctl reload nginx if you make changes to the file.

Step 3 - Allow HTTPS Through the Firewall

Note: If you followed my previous article here to configure Nginx you dont need this step since we already allowed HTTPS in that article.

  1. Run sudo ufw status to check the enabled application profiles.
  2. Run sudo ufw allow 'Nginx Full' to allow both unsecure & secure connections (port 80 & 443).
  3. Run sudo ufw status to check that the Nginx Full profile is now enabled in the firewall.

Step 4 — Get the SSL Certificate

  1. Run sudo certbot --nginx -d [domain_name] -d www.[domain_name] to use Nginx and configure it for the two A records.
  2. Choice option 2 to redirect all HTTP (insecure) trafic to HTTPS (secure) & hit enter.
  3. Navigate to: https://[domain_name] in your browser and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon.

Step 5 — Verify Certbot Auto-Renewal

  1. Run sudo certbot renew --dry-run to test the renewal process.
  2. If you see no errors you're all set, with your new secured HTTPS site.