Installing for Nginx

Nginx requires a bit more manual configuration. Then again, if you use Nginx, you’re probably used to manual configurations. In any case, Certbot is still available for download through Debian’s repositories.

# apt install certbot

The Certbot plugin is still in alpha, so using it isn’t really recommended. Certbot does have another utility called “webroot” that makes installing and maintaining certs easier. To obtain a certificate, run the command below, specifying your web root director and any domains that you want covered by the cert.

# certbot certonly --webroot -w /var/www/site1 -d site1.com -d www.site1.com -w /var/www/site2 -d site2.com -d www.site2.com

You can use one cert for multiple domains with one command.

Nginx will not recognize the certs until you add them to your configuration. Any SSL certificates need to be listed withing the server block for their respective website. You must also specify within that block that the server must listen on port 443 and use SSL.

server {

listen 443 default ssl;

# Your

# Other


ssl_certificate /path/to/cert/fullchain.pem

ssl_certificate_key /path/to/cert/privkey.pem


# Config

# Lines

}



Save your configuration and restart Nginx for the changes to take effect.

# systemctl restart nginx


Auto-Renew with Cron

Whether you’re using Apache or Nginx, you will need to renew your certificates. Remembering to do so can be a pain, and you definitely don’t want them to lapse. The best way to handle renewing your certificates is to create a cron job that runs twice a day. Twice daily renewals are recommended because they guard against certificates lapsing due to revocation, which can happen from time to time. To be clear, though, they don’t actually renew each time. The utility check if the certs are out of date or will be within thirty days. It will only renew them if they meet the criteria.

First, create a simple script that runs Certbot’s renewal utility. It’s probably a good idea to put it in your user’s home directory or a scripts directory so it doesn’t get served.

#! /bin/bash


certbot renew -q



Don’t forget to make the script executable too.

$ chmod +x renew-certs.sh

Now, you can add the script as a cron job. Open up your crontab and add the script.

# crontab -e


* 3,15 * * * /home/user/renew-certs.sh

Once you exit, the script should run every day at 3 a.m. and 3 p.m. by the server’s clock.

Closing Thoughts

Encrypting your web server protects both your guests as well as yourself. Encryption will also continue to play a role in which sites are displayed in browsers, and it’s not much of a stretch to assume that it will also play a role in SEO. Any way you look at it, encrypting your web server is a good idea, and LetsEncrypt is the easiest way to do it.