Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 3 Next »

Certbot - SSL Certificate

Having an SSL certificate ensures a secure connection between users and the server, and that no data is compromised while it is traveling over the internet. This allows users to connect using HTTPS protocol over port 443.

This guide assumes the server already has a domain and the necessary DNS record/s have been created. Also we are assuming Ngnix is installed

  1. Open ports 80 and 443, belonging to HTTP and HTTPS respectively. Port 22 is also required.

  2. Connect via SSH to the server with a user with sudo privileges.

  3. Install Certbot

    sudo snap install --classic certbot

  4. Prepare the Certbot command

    sudo ln -s /snap/bin/certbot /usr/bin/certbot

  5. Generate the certificate, this will also automatically edit the nginx configuration to serve it.

    sudo certbot --nginx

    1. Certbot will ask some questions, like an email to send notifications about certificate renewals.

    2. After the initial questions, Certbot will ask for the domain names to issue the certificate. It will try to access the server over port 80 using the domain name, so the DNS records must be already configured.

  6. Test that Certbot is capable of renewing the certificate, otherwise after a couple of months it will expire and users will lose access to the services.

    sudo certbot renew --dry-run
    image-20241001-222438.png

Official installation guide: https://certbot.eff.org/instructions?ws=nginx&os=snap

Official documentation: https://eff-certbot.readthedocs.io/en/stable/

Nginx Configuration

It is recommended to install the SSL certificate using Certbot before going through this section of the configuration.

Nginx will act as a reverse-proxy and redirect users requests that come through port 443 to the correct destinations.

  1. Nginx configuration file can be edited using the following command:

    vim/etc/nginx/sites-enabled/default

  2. Search for the server bracket that is listening to port 443. Certbot configuration can be found here.

  3. Edit and add the locations to redirect traffic. For Tomcat:

    # Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }
}

server {
        listen 80;  # Redirect from HTTP to HTTPS
        server_name  dev.zwe-wfa.psidigital.org;  # domain

        return 301 https://$host$request_uri;  # redirect
    }

server {
    listen 443 ssl;
    server_name 3.130.224.234; # TODO: do we need another domain.

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    ssl_certificate /etc/letsencrypt/live/dev.zwe-wfa.psidigital.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dev.zwe-wfa.psidigital.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
    # server_name dev.zwe-wfa.psidigital.org; # managed by Certbot
    server_name  dev.zwe-wfa.psidigital.org;  # domain

    location / {
        rewrite ^/(.*)$ /wfa/$1 break;
        proxy_pass http://localhost:8080;  # redirect to  WFA
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/dev.zwe-wfa.psidigital.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dev.zwe-wfa.psidigital.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = dev.zwe-wfa.psidigital.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80 ;
    #server_name dev.zwe-wfa.psidigital.org;
    server_name dev.zwe-wfa.psidigital.org;  # domain
    return 404; # managed by Certbot
}

Remember that after any modification to a nginx configuration file, its is required to restart the service.

systemctl restart nginx
  • No labels