Lets Encrypt allows users to create and renew public HTTPS/SSL/TLS Certificates free of charge. This post demonstrates how to create and automatically renew SSL certificates running on an Ubuntu 22.04.4 LTS based nginx server. Additionally, automated DNS validation is done via the DNS servers configured on cloudflare.
| This post only works if the domain uses cloudflare as its nameservers and DNS. LetsEncrypt does work in other configurations, they will just use different commands than defined in this post. |
Setting up the Server
The following must be configured:
- Certbot on the nginx server
- Cloudflare as the domain nameserver
- Certbot/Cloudflare secrets defined
Certbot
The Certbot/Let Encrypt libraries need to be installed on the server. There are multiple ways to install these libraries. The following commands will install the libraries via snap:
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflareCloudflare DNS Setup
Cloudflare must be setup as the dns provider for the domain. This can be validated by running the following command:
nslookup -type=ns <domain>
Non-authoritative answer:
<domain> nameserver = khalid.ns.cloudflare.com.
<domain> nameserver = sydney.ns.cloudflare.com.
The results should link back to a server with a name ending with ns.cloudflare.com
If it doesn’t return to that, then a change needs to be made to the registrar of your particular domain. The registration should define the nameserver of the domain.
Certbot/Cloudflare Secrets Configuration
Certbot will communicate with the Cloudflare api to validate that you have access to your domains api. This validation proves that you have ownership of the domain, which is required to create a certificate.
In order to setup the secrets correctly on the certbot/nginx server, an api token must be created. Follow these instructions via cloudflare to create the tokens:
https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
Once the API token is created, it must be stored here:
/root/.secrets/certbot/cloudflare.ini
# /root/.secrets/certbot/cloudflare.ini
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = <token value>Create Initial Certificate
The first step is to create the first certificate for the domain. Certbot will create and validate the certificate. It will also automatically renew the certificate.
The following command will create the certificate:
$ certbot certonly -n --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini -d <fdqn.of.cert> -d <domain.of.cert> -m <email address for notifications> --agree-toscertonly #only create a certificate, do not install it anywhere
-n #Run non-interactively (for automation)
--dns-cloudflare #Validate using dns/cloudflare
--dns-cloudflare-credentials #Location of clouflare credentials file
-d #Domain of the certificate (can be multiple)
-m #Email address to send certificate notifications
--agree-tos #Agree to the TOS without prompt (for automation)Configure NGINX
The point of creating certificate files will be to server https content via nginx.
The nginx config, must have the following configured in each sites server{} configuration:
server {
...
ssl_certificate /etc/letsencrypt/live/. <domain>.fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
...
}Finally, a renewal hook must be configured in order for letsencrypt to reload nginx each time the certificate is renewed.
#/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
# File must be executable +x
systemctl reload nginx.serviceThis script will run each time lets encrypt renews a certificate. In this case it will reload nginx, causing it to use the update certificates.
Using these tools ssl certificates can be generated, and automatically renewed, allowing an nginx server to deliver https content without certificate expiry.
rm -rf /* 