Guide to Issue Let's Encrypt certificates for multiple websites Nginx

-

Introduction

Learn how to issue Let's Encrypt certificates for multiple websites using Nginx. This comprehensive guide covers installation, configuration, automation, and more, ensuring your websites stay secure and compliant.

Securing your websites with SSL/TLS certificates is crucial for protecting data, enhancing user trust, and improving search engine rankings. Let's Encrypt offers a free, automated, and open-source solution for obtaining SSL certificates, making it easier than ever to secure your websites. In this tutorial, we will walk you through the steps to issue Let's Encrypt certificates for multiple websites using Nginx. By following this guide, you'll be able to configure Nginx to use SSL, automate the renewal process, and ensure all your sites remain secure.

What is Let's Encrypt?

Let's Encrypt is a certificate authority that provides SSL/TLS certificates for free. It automates the process of certificate issuance, making it accessible even for users with limited technical knowledge. With Let's Encrypt, you can secure your website's traffic, enhance security, and improve your site's credibility.

Prerequisites

  • An Ubuntu server with a LEMP stack installed.
  • Two valid domain names. For example: devopsroles.com and huuphan.com.
  • Shell access to your VPS.
  • The certbot and python3-certbot-nginx packages installed on your system.

Configuring Let's Encrypt for the First Website

To issue a free SSL certificate for your website, run the following command:

certbot --nginx -d huuphan.com
After running the command, you'll see the following output:

root@localhost:~# certbot --nginx -d huuphan.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/huuphan.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for huuphan.com
Deploying Certificate to VirtualHost /etc/nginx/conf.d/huuphan.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/huuphan.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://huuphan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/huuphan.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/huuphan.com/privkey.pem
   Your certificate will expire on 2021-11-16. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Repeat the Process for Other Websites

You should repeat this process for all your other websites. You can test your SSL certificates by visiting the URL

Automate Let's Encrypt Certificate Renewal

To automate the certificate renewal process, you need to set up a cron job as follows:

crontab -e
Add the following line:

10 11 * * *   root /usr/bin/certbot renew >/dev/null 2>&1
You can renew the certificates manually
certbot renew
Test certificate are being renewed correctly
certbot renew --dry-run

Configuring Nginx for SSL

Updating Nginx Configuration

To use SSL with Nginx, update your Nginx configuration file for each domain. Ensure the following directives are present:

server {

    listen 80;

    server_name yourdomain.com www.yourdomain.com;

    return 301 https://$server_name$request_uri;

}


server {

    listen 443 ssl;

    server_name yourdomain.com www.yourdomain.com;


    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

}

Securing Multiple Domains

Using Wildcard Certificates

If you have multiple subdomains, you can use wildcard certificates to simplify management. Run the following command:

certbot --nginx -d '*.yourdomain.com' -d yourdomain.com

Automating Tasks with Cron

Setting Up Automatic Renewals

To avoid manual renewals, use cron jobs to automate the process, as shown earlier. This ensures continuous protection for your websites.

FAQs

What is Let's Encrypt?

Let's Encrypt is a free, automated certificate authority that provides SSL/TLS certificates for secure website communication. It simplifies the process of obtaining and renewing certificates, making it accessible to everyone.

Why is SSL Important for My Website?

SSL encrypts data between your server and your visitors, protecting sensitive information from being intercepted. It also improves search engine rankings and builds user trust.

How Often Do I Need to Renew My SSL Certificate?

Let's Encrypt certificates are valid for 90 days. Certbot automates the renewal process, so you don't have to worry about it as long as your cron jobs are set up correctly.

Can I Use Let's Encrypt for Multiple Domains?

Yes, Let's Encrypt allows you to secure multiple domains and subdomains under a single certificate, simplifying management and maintenance.

What Should I Do If My SSL Certificate Fails to Renew?

If the automatic renewal process fails, manually run the certbot renew command and check the logs for any errors. Ensure your server can reach Let's Encrypt's servers and that your domain is correctly configured.

Conclusion

Securing your websites with Let's Encrypt and Nginx is a straightforward process that provides numerous benefits, including enhanced security, improved SEO, and increased user trust. By following this guide, you can ensure that all your websites are protected with SSL certificates, and you can automate the renewal process to keep them secure without any manual intervention.

Implementing SSL/TLS for multiple websites might seem daunting, but with Let's Encrypt and Nginx, it becomes a manageable and rewarding task. Remember to test your configurations and renewals regularly to avoid any downtime or security issues.

By using Let's Encrypt, you contribute to a safer internet while keeping your own sites secure and up-to-date. Thank you for reading the huuphan.com page!

Comments

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

-
Introduction How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic...
Read more

Bash script list all IP addresses connected to Server with Country Information

-
Introduction This script is designed to list all IP addresses connected to your server, retrieve geographical information for each IP using ipinfo.io , and display the results in a clean format. This guide will walk you through the script, explaining each part in detail, and ensuring you understand how to implement and use it effectively. What is Bash? Bash (Bourne Again Shell) is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. It has since become the default login shell for most Linux distributions. Bash can execute commands, read and execute commands from a file, and provide constructs for condition testing, looping, and functions. Prerequisites A Linux -based server with administrative privileges. Internet connection for accessing ipinfo.io . Basic knowledge of Bash scripting. List all IP addresses connected to Server us Bash Script Running to bash script list all IP addresses connected to Server ./stu...
Read more

Zimbra Client host rejected Access denied fixed

-
Introduction While using Zimbra , you might encounter the "Client host rejected: Access denied" error, which can disrupt your workflow. This is a common issue that can be resolved easily if you understand the causes and the solutions. This article provides a detailed guide on how to fix this error on Zimbra, helping you quickly resume your work smoothly. Zimbra client host rejected Access denied error log Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: NOQUEUE: reject: CONNECT from unknown[192.168.1.113]: 554 5.7.1 <unknown[192.168.1.113]>: Client host rejected: Access denied; proto=SMTP Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: lost connection after CONNECT from unknown[192.168.1.113] Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: disconnect from unknown[192.168.1.113] Allow the network " 192.168.1.0/24 " of client host for zimbraMtaMyNetworks attribute [zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMtaMyNetworks "127.0.0.0/8 192.1...
Read more