Generate SSL certificates for all sites in Nginx
Generate automatically SSL certificates for all sites in Nginx using certbot.
To easily generate an SSL certificate for your Nginx-managed domain, you can utilize Certbot, a widely-used tool that automates the process of obtaining and installing SSL certificates from Let’s Encrypt.
Creating SSL certificate for your Nginx-managed domain
Here’s a straightforward guide to help you through the steps:
Install Certbot
First, you need to install Certbot on your server. Depending on your operating system, you can typically do this with the following commands:
sudo apt update
sudo apt install certbot python3-certbot-nginx
List all domains in the Nginx configuration
To list all domains in the Nginx configuration, you can use the following command to dump the entire Nginx configuration and then search for the server_name directive, showing you all the domains and subdomains that are configured.
nginx -T | grep "server_name"Obtain the SSL certificate
Once Certbot is installed, you can request a new SSL certificate for your domain by running:
sudo certbot --nginx --cert-name your_domain.comsudo certbot --nginx -d example.com -d www.example.com -d anotherdomain.com
Replace your_domain.com with your actual domain name. Certbot will guide you through the process, prompting you for your email address and asking you to agree to the terms of service.
Certbot will automatically configure Nginx to use the newly obtained SSL certificate, setting up the necessary server blocks for HTTPS.
If you have multiple domains or subdomains, you can specify them all at once, separated by commas: sudo certbot --nginx -d example.com,www.example.com.
Reload the Nginx configuration without restarting the entire server
When you make changes to your Nginx configuration files (e.g., /etc/nginx/nginx.conf, /etc/nginx/sites-available/default, etc.), you need to tell Nginx to reload the new configuration. Below command does exactly that.
sudo systemctl reload nginxVerification
- Use command
sudo certbot certificatesto display information about all SSL certificates that have been obtained and installed by Certbot on your system. Verify that your site is accessible over HTTPS and that the certificate is valid by checking your site in a web browser.
If you already have your site open in a browser tab when you install the new SSL certificate, you may need to close that tab and open the site in a new tab or refresh the page multiple times to see the updated certificate. This is because browsers often cache SSL connections and may not immediately recognize the new certificate.
Automating the renewal process
Certbot actually sets up automatic renewal by default using a system timer or cron job, depending on your system. Here’s how to confirm and enhance it:
Check if Certbot auto-renew is enabled
Run:
sudo systemctl list-timers | grep certbotIf you see a timer like certbot.timer, then Certbot is set to attempt renewal twice daily.
Simulate renewal
Just to make sure things are working, do a dry run:
sudo certbot renew --dry-runIf that runs without errors, then your setup is solid.
A common error is missing DNS record _acme-challenge.example.com. You can generate the key and value for the TXT DNS record using the following command:
sudo certbot -a manual -d example.com --preferred-challenges dns certonlyCertbot will prompt you with a TXT record to add, something like:
_acme-challenge.ghost.example.com IN TXT "random-string"Verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying TXT record with aid of online tools, such as the Google Admin Toolbox.
Optionally add a hook for Nginx reload
When Certbot renews a certificate, it won’t reload Nginx by default unless you tell it to. You can add a deploy hook to automate the reload:
sudo certbot renew --deploy-hook "systemctl reload nginx"Or add this line to a cron job if you’re managing renewals manually.
Comments