Gekinzuku - Random tech posts, software, and travel pictures.

Setting up an SSL Certificate With Nginx and Let's Encrypt

Published on: Nov. 2, 2019, 6:48 p.m. by assemblarg.

First go to Let's Encrypt. You can follow along with the directions for your respective OS and software configuration.

If you want to manually setup a certificate. Install certbot and run:

# letsencrypt certonly -a manual --rsa-key-size 4096 --email user@example.com -d example.com -d www.example.com

You then need to add the following to the server section of your nginx configuration:

listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

To redirect all http traffic in nginx to https, add the following server section:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$server_name$request_uri;
}

$server_name could be replaced by $host in most cases, but $host is a variable set by the HTTP Host Header. Therefore, it could be maliciously manipulated by a user. It is better to set a variable we have control over instead. In this case $server_name

Posted in: System Administration