Let's Encrypt is a free to use certification authority which, in my opinion, has revolutionized the usage of SSL/TLS certificates.You can now use free SSL/TLS certificates on your local machines. The benefits of using a SSL/TLS certificate for your website/blog/company sites... are:
- Improved securiy
- Improved trust
- Ability to use HTTP/2
- Better Google search results
How can I use a free Let's Encrypt certificate
In order to get a free certificate you will need a tool called certbot which will handle the getting of the certificate as well as the renewal.
Certbot can be installed using snap and the following command:
sudo snap install --classic certbot
As next step you will need to change your NGINX config so that the server name points to a "real URL."
In your config for your NGINX please change the server_name directive to your URL. This could look like this:
After that restart your NGINX
sudo service nginx restart
Now you will have to make sure that your A record is pointing to the public IP of your server and port 80 and 443 are forwarded to your server or opened by your firewall. If this is the case you can initiate the certificate issuing.
sudo certbot --nginx
You will be asked for your email and if you agree to the terms and conditions. The question if you are willing to share your email address is up to you.
You will now see a list of your available domains. If you want to only issue a certificate for one domain, enter the number, otherwise leave it blank and hit enter.
After that the certificates will be obtained and you should set the redirect at the end to yes.
In you NGINX config you will now see additional inputs and you restart your NGINX again to make the changes effective.
How to renew the certificates?
All certificates will be valid for 90 days. It is recommended to renew them at least once a day, maybe even more often. The certifiacates will only be renewed if they are expired.
To do this, set up a cronjob
with the following content
1 1 * * * certbot renew
This way ever day at 1:01 am the renewal will be executed.