SSL certificate setup with Let's Encrypt and certbot

<p>I need free HTTPS for my production server. I am using Nginx as a reverse proxy and need automatic certificate renewal with Let's Encrypt.</p>

<p>Let's Encrypt with Certbot:</p> <div class="highlight"><pre><span></span><code>sudo<span class="w"> </span>apt<span class="w"> </span>install<span class="w"> </span>certbot<span class="w"> </span>python3-certbot-nginx <span class="c1"># Obtain and auto-configure Nginx:</span> sudo<span class="w"> </span>certbot<span class="w"> </span>--nginx<span class="w"> </span>-d<span class="w"> </span>myapp.com<span class="w"> </span>-d<span class="w"> </span>www.myapp.com<span class="w"> </span><span class="se">\</span> <span class="w"> </span>--email<span class="w"> </span>admin@myapp.com<span class="w"> </span>--agree-tos<span class="w"> </span>--no-eff-email <span class="c1"># Test auto-renewal:</span> sudo<span class="w"> </span>certbot<span class="w"> </span>renew<span class="w"> </span>--dry-run <span class="c1"># Systemd timer handles renewal automatically:</span> systemctl<span class="w"> </span>status<span class="w"> </span>certbot.timer </code></pre></div> <p>Manual Nginx SSL section:</p> <div class="highlight"><pre><span></span><code><span class="k">server</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kn">listen</span><span class="w"> </span><span class="mi">443</span><span class="w"> </span><span class="s">ssl</span><span class="w"> </span><span class="s">http2</span><span class="p">;</span> <span class="w"> </span><span class="kn">ssl_certificate</span><span class="w"> </span><span class="s">/etc/letsencrypt/live/myapp.com/fullchain.pem</span><span class="p">;</span> <span class="w"> </span><span class="kn">ssl_certificate_key</span><span class="w"> </span><span class="s">/etc/letsencrypt/live/myapp.com/privkey.pem</span><span class="p">;</span> <span class="w"> </span><span class="kn">include</span><span class="w"> </span><span class="s">/etc/letsencrypt/options-ssl-nginx.conf</span><span class="p">;</span> <span class="w"> </span><span class="c1"># HSTS -- only after HTTPS is stable:</span> <span class="w"> </span><span class="kn">add_header</span><span class="w"> </span><span class="s">Strict-Transport-Security</span><span class="w"> </span><span class="s">"max-age=31536000"</span><span class="w"> </span><span class="s">always</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>For Docker with Traefik:</p> <div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span> <span class="w"> </span><span class="nt">traefik</span><span class="p">:</span> <span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik:v3</span> <span class="w"> </span><span class="nt">command</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--providers.docker=true</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--certificatesresolvers.le.acme.email=admin@myapp.com</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--certificatesresolvers.le.acme.httpchallenge.entrypoint=web</span> <span class="w"> </span><span class="nt">api</span><span class="p">:</span> <span class="w"> </span><span class="nt">labels</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik.http.routers.api.rule=Host(`myapp.com`)</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik.http.routers.api.tls.certresolver=le</span> </code></pre></div> <p>Key points: - Certbot auto-renews via systemd timer -- 90-day certs, renewed at 30 days - fullchain.pem includes certificate + chain - HSTS tells browsers to always use HTTPS -- add only after HTTPS is working - Rate limit: 5 certs per domain per week -- use staging server for testing</p>