How to properly use certbot with Nginx on Ubuntu?

Install and configure Nginx:

$ sudo apt update
$ sudo apt install nginx
$ sudo rm /etc/nginx/sites-enabled/default
$ sudo vi /etc/nginx/sites-available/MYSITE  # See below
$ sudo ln -s /etc/nginx/sites-available/MYSITE /etc/nginx/sites-enabled
$ sudo systemctl restart nginx

The /etc/nginx/sites-available/MYSITE config file should look like so:

server {
  listen 80;

server {
  listen 443 ssl;
  server_tokens off;

  # If you use nginx as reverse-proxy
  location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;

Install certbot:

$ sudo apt update
$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install certbot python-certbot-nginx

Create the certificate:

$ sudo certbot --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --email ME@MYSITE.COM -d MYSITE.COM -d WWW.MYSITE.COM

You could potentially use the --must-staple option to enable the OCSP “must staple” extension, but it doesn’t work well with Firefox (to fix in your Firefox browser: go to about:config, and set security.ssl.enable_ocsp_must_staple to false).

The arguments are:

  • --nginx: Use Nginx for authentication and install certificate for Nginx
  • --agree-tos: Agree with Let’s Encrypt terms of service
  • --redirect: Add Nginx config to redirect HTTP to HTTPS
  • --uir: Add Content-Security-Policy: upgrade-insecure-requests to HTTP responses
  • --hsts: Add Strict-Transport-Security header to HTTP responses
  • --staple-ocsp: Enable OSCP stapling (allow browser to skip verification of whether the SSL certificate has been revoked or not)
  • --email: Email address to use to register with Let’s Encrypt, and potentially for recovery

How to install the dns-route53 plugin for certbot on Ubuntu?

There are no instruction on how to install the dns route53 plugin for certbot. Here is how to do it for Ubuntu.

To install certbot:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

To install the dns-route53 plugin:

# apt-get install python3-pip
$ sudo pip3 install certbot-dns-route53

You can then create a new certificate with something like that:

$ sudo certbot certonly --dns-route53 -d --deploy-hook 'systemctl reload apache2'