Red Green Repeat Adventures of a Spec Driven Junkie

How-to: Setup nginx-certbot

I go over how I configured nginx-certbot for a domain and to tested it using SSL Labs.

I use a free dynamic DNS entry from No-IP on an AWS EC2 server whose ports 80 and 443 are accessible to the world, using Let’s Encrypt to provide certificates.

You will learn that a name provider doesn’t have to explicitly support Let’s Encrypt to provide certificates and you can get a secure website running in minutes, well, for me hours. I’m writing this so next time it will be minutes for me. ;-)

This article will take you less than six minutes to read.

Astrolabe of ‘Umar ibn Yusuf ibn ‘Umar ibn ‘Ali ibn Rasul al-Muzaffari source and more information

Introduction

Having my own domain that’s on a secure web server has been on my “To Do” list for a long time.

I took the approach of using nginx-certbot to solve this problem. There are other solutions to this problem and they are valid, I took the simplest solution first and seeing it through.

Getting a secure web server with proper certificates is tricky. Security, encryption, and configuration is tricky. I want to take a turnkey solution then try more.

I may experiment with different solutions in the future.

Requirements

If you would like to follow along, you will need the following:

  • Internet domain name that you can set the DNS Hostname entry
  • Internet accessible server with ports 80 & 443 open and that can run docker

Internet Domain

To have a secure web server, you need to have a registered domain you control. The main part to control is setting the DNS Hostname (A) entry for the hostname, pointing to the IP address of your server.

If you’re hosting the server from your home Internet, you can find the IP address, using: https://whatsmyip.org

Free (temporary) Domain

A domain name you can control will cost money and if you just want to test out the whole process, getting a free domain is possible from providers online, one that provide Dynamic DNS services.

I use No-IP’s free domain to map one of their domains to a server.

Some example domain names available:

  • ddns.net
  • ddnsking.com
  • freedynamicdns.net
  • hopto.org

and more - there are even more to choose from if you subscribe to their enhanced plan.

Hosting Server

For this test, you don’t need a powerful server at all. The essential requirements for the server are:

  • the server has ports 80 & 443 accessible on the Internet
  • can install docker and docker-compose

AWS EC2

In my case, I use an AWS EC2 instance running Ubuntu 18.04 LTS. This is my go-to setup for a server online.

Install Docker

The nginx-certbot uses Docker containers, so you will have to install Docker on the hosting computer.

Installation instructions for Docker are available at:

https://docs.docker.com/engine/install/

Linux Installation Steps for Ubuntu

Below are the commands to install docker, copied for reference (and my future reference.)

sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

Docker Compose

nginx-certbot uses Docker Compose to configure and bring up the system. The system uses two docker containers: one to get the certificates and another to serve web content.

To install docker compose, https://docs.docker.com/compose/install/

Ubuntu Installation

The following command is the installation command on Ubuntu (or any linux system):

sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Download nginx-certbot

With the host server configured and accessible from a hostname, time to get the star of this show: nginx-certbot

Get nginx-certbot at:

git clone https://github.com/wmnnd/nginx-certbot.git

The author has an article on how he made the whole system here.

Alternate

For reference, I have a fork of the repository on my personal account as well.

git clone https://github.com/a-leung/nginx-certbot.git

Configure nginx-certbot with Domain

Take the domain from the Internet domain step, update the following command and run it to generate the app.conf file for nginx-certbot and your domain.

cat data/nginx/app.conf | sed '/s/example.org/<your Internet domain from step 1>/' > file.tmp; mv file.tmp data/nginx/app.conf

Does the command look familiar? It should ^_-

Run nginx-certbot initialization script

With your domain configured for nginx-certbot, run the initialization script to get and setup the certificates from Let’s Encrypt, the free HTTPS certificate authority.

sudo ./init-letsencrypt.sh

Run nginx-certbot

Everything should be green from the initialization script, which gets the certificates for your domain. Now to run the server:

sudo docker-compose up

If there are errors, validate the app.conf configuration and re-run the initialization script. Keep It Simple (for now). It’s important to get things working instead of pre-configuring things.

Successful run of nginx-certbot server

Test Site

Here’s the moment of truth: does the site work?? There are two ways to test:

  1. Use your browser
  2. Use another website

I will go over these in detail.

Browser Response

If you open up your browser to your domain, nothing will show up:

First load of nginx-certbot domain

Oh, this looks like it’s not working!? Huh???

If the server was not working, there would be no response.

Upon closer inspection, viewing the browser’s Inspector network tool shows:

First load of nginx-certbot domain - inspector details

See the requests on the side with 301? Those are redirects and something is happening. Eventually, the browser gives up and throws an error: ERR_TOO_MANY_REDIRECTS

This will be a frustrating experience if this was the only way to test your server’s configuration, hence, SSL Labs site check

SSL Labs site check

Using your browser would be sufficient in most cases. In this case, I want to validate the HTTPS aspect and make sure the server has an encrypted connection with the client.

The easiest way to do this is to use SSL Lab’s SSL test feature. Goto the following web page:

https://www.ssllabs.com/ssltest/index.html

And enter your domain.

When everything is all good, the page would look like:

Successful Configuration SSL Labs Report

Even though the browser shows an error for the site, SSL Lab’s check passes it.

For now, this is enough to validate the nginx-certbot is setup. Configuring nginx-certbot to serve more is another article.

Problems?

If you have any problems, please contact me. There are numerous moving parts here that don’t talk to each other unless explicitly configured to do so.

That’s the beauty and frustration of the Internet. ;-)

Conclusion

I’ve documented the steps I took to bring up a secure nginx web server on a new domain using nginx-certbot.

I really appreciate developers such as wmnnd for sharing useful tools like this as setting up a secure web server without an automated process can be frustrating, nginx-certbot makes the process better and Internet more secure!