Install and configure Nginx:
$ sudo apt update $ sudo apt install nginx $ sudo rm /etc/nginx/sites-enabled/default $ sudo vi /etc/nginx/sites-available/MYSITE # See below $ sudo ln -s /etc/nginx/sites-available/MYSITE /etc/nginx/sites-enabled $ sudo systemctl restart nginx
The /etc/nginx/sites-available/MYSITE config file should look like so:
server { listen 80; server_name MYSITE.COM WWW.MYSITE.COM; } server { listen 443 ssl; server_name MYSITE.COM WWW.MYSITE.COM; server_tokens off; # If you use nginx as reverse-proxy location / { proxy_pass http://localhost:8080; proxy_set_header Host $host; } }
Install certbot:
$ sudo apt update $ sudo apt install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt update $ sudo apt install certbot python-certbot-nginx
Create the certificate:
$ sudo certbot --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --email ME@MYSITE.COM -d MYSITE.COM -d WWW.MYSITE.COM
You could potentially use the --must-staple argument to enable the OCSP “must staple” extension, but it doesn’t work well with Firefox (to fix in your Firefox browser: go to about:config, and set security.ssl.enable_ocsp_must_staple to false).
The arguments are:
--nginx: Use Nginx for authentication and install certificate for Nginx--agree-tos: Agree with Let’s Encrypt terms of service--redirect: Add Nginx config to redirect HTTP to HTTPS--uir: AddContent-Security-Policy: upgrade-insecure-requeststo HTTP responses--hsts: AddStrict-Transport-Securityheader to HTTP responses--staple-ocsp: Enable OSCP stapling (allow browser to skip verification of whether the SSL certificate has been revoked or not)--email: Email address to use to register with Let’s Encrypt, and potentially for recovery
I work as a freelancer, so if you don’t want to do that kind of things yourself or don’t have the time, just drop me a line to hire me.