This page looks best with JavaScript enabled

moving from HTTP to HTTPS

 ·  ☕ 2 min read

moving from http to https

For https certificates are required. You can buy one or get a free one from certbot

getting certificates with certbot

Install certbot on your server

root: bash
  • root# pacman -S certbot certbot-nginx

Get a certificate:

root: bash
  • root# certbot certonly --nginx

!IMPORTANT INFORMATION ABOUT CERTBOT CERTIFICATES MAINTENANCE

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live//fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live//privkey.pem
    Your cert will expire on 2020-07-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Configure nginx (/etc/nginx/nginx.conf):

/etc/nginx/nginx.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# HTTPS server

server {
    listen       443 ssl;
    server_name  <servername>;

    ssl_certificate      /etc/letsencrypt/live/<servername>/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/<servername>/privkey.pem;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /var/www/public; # your public folder
        index  index.html index.htm;
    }
}

Configure automatic certificate renewal:

Use systemd/Timers

  1. Create the timer: /etc/systemd/system/certbot-renewal.timer

The following will run the timer once every 3 months, or as soon as possible after execution target time (Persistent=true)

/etc/systemd/system/certbot-renewal.timer
1
2
3
4
5
6
7
8
9

[Unit]
Description=Renew certbot (letsencrypt) certificates

[Timer]
OnCalendar=*-01,04,07,10-01 12:00:00
Persistent=true

[Install]
WantedBy=timers.target
  1. Create the service: /etc/systemd/system/certbot-renewal.service

/etc/systemd/system/certbot-renewal.service
1
2
3
4
5
6

[Unit]
Description=Renew certbot (letsencrypt) certificates

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew

3. Enable and start the timer

root: bash
  • root# systemctl start certbot-renewal.timer
  • root# systemctl enable certbot-renewal.timer

check your timer is ready for execution

root: bash
  • root# systemctl list-timers

Now, the certificates will be renew every three months.

Share on
Avatar
WRITTEN BY