HTTPS with Nginx and Let's Encrypt

I’ve been wanting to get started on this blog for a while now but I wasn’t sure what to kick things off with. Then I realised that setting this blog up has been pretty interesting. So why not start with a post about that…

The Problem

When I setup this blog I had an issue with not being able to redirect my www subdomain to non-www over HTTPS. I kept receiving a Not Secure error from Chrome stating that I had no valid certificate.

My SSL certificate is provided by the awesome Let’s Encrypt service. And after some Googling I realised that when I had setup the blog using Ghosts CLI it had only created a certificate for the non-www version of my domain.

After further Googling I found out that I would need a second SSL certificate for my www subdomain to allow safe redirect to just codedaze.io.

The Solution

To start off I installed Git, you need this to clone Lets Encrypt from their official repo on GitHub.

sudo apt-get install git

Once that’s finished then you need to clone the repo using the following command.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Finally you need to head over to the new directory

cd /opt/letsencrypt

Creating a new SSL certificate

Let’s Encrypt will perform a series of Domain Validations to check the authenticity of your domain, once these are satisfied then your new SSL certificate will be issued.

Run the following command to generate your certificates. You can use the -d parameter to add additional domains that you wish to generate certificates for as per the example below.

sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

But as I already had the non-www certificate I just ran this version of the command.

sudo -H ./letsencrypt-auto certonly --standalone -d www.codedaze.io

You will be asked to provide your email address so you can be contacted in emergencies or when your certificate is due to expire. So enter this when prompted.

Next you will be asked to agree to the terms of service and then if you wish to submit your email address for some data analysis and marketing. I leave this one up to you.

Hopefully the next thing you will see is something like the following:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2017-12-31. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congratulations! You now have your shiny new SSL certificate(s). So how do you get Nginx to play ball.

Nginx Configuration

Most of my Nginx configuration was done by the Ghost CLI when I setup my blog. I have added a couple of redirects in from www to non-www for both HTTP and HTTPS variant.

In order to fix my issue with the redirect from http://www.codedaze.io to https://chrissainty.com. All I had to do was go into the server I had configured for the HTTPS redirect from www.codedaze.io to codedaze.io and all the locations of the new certificates I had generated above.

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.codedaze.io;
	return 301 https://chrissainty.com$request_uri;

	ssl_certificate /etc/letsencrypt/live/www.codedaze.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.codedaze.io/privkey.pem;
	include /var/www/codedaze.io/system/files/ssl-params.conf;
}

Conclusion

You may have noticed by I am very new to Nginx and Linux in general. So I’m not writing this as a perfect setup. And I’m sure I will soon be writing a post showing how horrible this configuration is.

But for now I’m so happy with myself for getting this issue sorted. I’m also really happy that it has inspired me to write about it. Something which I really want to do much more of.

So in conclusion, if this helps you in anyway then great. If you find it totally useless then please accept my apologies. But this is my first blog post and I’m pretty damn happy with myself for getting it done and hopefully its the start of many.