Using Let's Encrypt SSL certs

Everyone on the web is using SSL these days - to the point where most (if not all) modern browsers will throw a very unfriendly looking warning if your site is not secure. Which is something of a problem if you're wanting to just spin up a new site for a demo or to service a small niche - do you really want to pay for an expensive, long term SSL certificate? But you'd rather your users don't have to accept a scary security alert, right?

My solution to this is running my sites behind NGINX and using Let's Encrypt. I'll cover the NGINX setup elsewhere, suffice it to say that NGINX looks at the requested URL and serves up the correct SLL certificate before directing traffic to that NodeJS instance on my server. That allows me to run multiple sites on the same server against different ports and each is independent of all the others.

Let's Encrypt is a great service that provides free SSL certificates. They are typically only valid for 90 days, but they've made the installation and renewal process VERY simple! More details on their service here

Before you start

The simplest setup that I've found involves using certbot to spin up a temporary webserver in place of your actual site. That means your site will be down (for a matter of less than a minute) while certificates are installed or renewed, but if you forget to stop NGINX (or whatever web server you're using) you could spend a lot of time debugging certbot!

Initial setup

sudo add-apt-repository ppa:certbot/certbot

sudo apt install python3 python3-venv libaugeas0

sudo python3 -m venv /opt/certbot/

sudo /opt/certbot/bin/pip install --upgrade pip

sudo /opt/certbot/bin/pip install certbot certbot-nginx

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Add to crontab:

0 0,12 * * * certbot renew -q


Renewal

This is the easy one...

Stop NGINX - service nginx stop

Renew the certs that are going to expire in the next 30 days: certbot renew

Restart your webserver: service nginx start

And you're done!