Adding Let’s Encrypt Certs to Nginx
This morning I had some time and wanted to finish up the work of getting my Cloud VM running Ubuntu 22.04 working just fine as a development box - including inbound webhooks from vendors, and calls from apps like HTTPbot on my iPad Pro. The key was that I needed to be able to install and configure nginx to forward all port 443 traffic to port 6543, and that also meant getting the nginx server to be listening on port 443 with a legit certificate.
Turns out, it wasn't as bad as I thought it might be. 🙂
Starting with my Ubuntu 22.04 install, I added the packages I was going to need, based on this blog post on the nginx site.
$ sudo apt-get -y install --no-install-recommends nginx certbot python3-certbot-nginx
Once these are installed, we could set the server_name in the nginx config:
$ sudo /etc/nginx/sites-enabled/default
and update the server_name line to be:
server_name mybox.mydomain.com;
and then we can get the initial certificate from Let's Encrypt and register a new email account with them with:
$ sudo certbot --nginx -d mybox.mydomain.com -d mydomain.com
and the second -d argument is for an additional domain for the certificate. I didn't need it, so I just had the one -d pair on my certbot command.
After this, we edit the config file again, updating the port 443 section's location specification with:
location / { # forward all HTTPS traffic to port 6543 proxy_set_header X-Forward-For $remote_addr; proxy_set_header Host $http_host; proxy_pass "http://127.0.0.1:6543"; }
and then verify the nginx config with:
$ sudo nginx -t
and then tell nginx to reload the config with:
$ sudo nginx -s reload
At this point, the box is answering HTTPS traffic, and forwarding it on to the Node service at port 6543. Excellent. 🙂
In order to refresh the Let's Encrypt Certificate on time, let's add a simple crontab entry:
$ crontab -e
and then have the entries:
# run all the commands on Bash not Bourne Shell SHELL=/bin/bash # send all the mail to my main account MAILTO=bob@mydomain.com # check the Let's Encrypt certificate each dat at noon UTC 0 12 * * * sudo /usr/bin/certbot renew --quiet
And that should do it.