<link href="https://fonts.googleapis.com/css?family=Roboto:100,100italic,200,200italic,300,300italic,400,400italic,500,500italic,600,600italic,700,700italic,800,800italic,900,900italic&amp;display=swap" rel="stylesheet"/>
By using this website, you agree to the use of cookies as described in our Privacy Policy.
5 minutes reading time (1008 words)

Use Certbot to get an SSL certificate from Lets Encrypt for Nginx on Debian 11

9685 Hits

How to use Certbot to get an SSL certificate from Lets Encrypt for Nginx on Debian 11

Let's Encrypt SSL Certificates

Let's Encrypt is a non-profit certificate authority that you can use to get a free SSL certificate to secure your website using HTTPS.

Certbot is an open-source software package used to automatically request and renew Let's Encrypt SSL certificates for websites.

When you request a certificate from Lets Encrypt, you'll need to verify that you own the domain names in the certificate using either an HTTP or DNS challenge.

HTTP Challenge vs DNS Challenge

HTTP Challenge

  • The certificate request puts a token file on your web server that Lets Encrypt retrieves to validate the certificate
  • This type of challenge can't be used to issue wildcard certificates
  • HTTP challenge can only be done using port 80
  • You can easily automate the renewal of certificates issued using HTTP challenge

 DNS Challenge

  • You prove ownership of the domain names by creating a DNS TXT record _acme-challenge.yourdomain.com
  • DNS challenge allows you to issue wildcard certificates
  • Certificates issued using DNS verification can only be automatically renewed if your DNS provider has an API that supports this

Before you begin

  • Install Nginx web server following this guide
  • Create DNS A records for your website name (both www and non-www versions) pointing to your webservers public IP address
  • Create a DNS CAA record for Lets Encrypt
  • Open ports 80 for HTTP and 443 for HTTPS on your firewall to your webserver

DNS Certification Authority (CAA) Record

A DNS CAA record allows you to specify certificate authorities that are allowed to issue certificates for your domain. Adding a CAA record to your external DNS adds a layer of security by letting you list the approved certificate authorities.

Example: Google DNS CAA record for Let's Encrypt

Type: CAA
Data: 0 issue "letsencrypt.org"

Create folder for Lets Encrypt challenge

# create letsencrypt folder
mkdir -p /var/www/letsencrypt/.well-known

# change group to nginx user www-data
chgrp www-data -Rf /var/www/letsencrypt

# set group ID of directory
chmod g+s /var/www/letsencrypt

# change folder permissions
chmod 750 -Rf /var/www/letsencrypt

Add Lets Encrypt folder to Nginx server block

This example is for a basic Nginx server block using HTTP. We will add the Lets Encrypt folder to the server block to make it accessible by the webserver to complete the acme-challenge.

nano /etc/nginx/sites-available/yourdomain.com.conf

# http server block
server {
    listen 80;
    root /var/www/yourdomain.com/html;
    index index.html;
    server_name yourdomain.com www.yourdomain.com;

# letsencrypt folder
    location ^~ /.well-known/acme-challenge/ {
    allow all;
    root  /var/www/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
}
}

Check nginx config
nginx -t

Reload nginx
service nginx reload

Install Cerbot using snap

Update package lists and install snapd

apt update && apt install snapd

Install and update snap core 

sudo snap install core; sudo snap refresh core

Install Certbot using snap  

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Get an SSL certificate using certbot --nginx

Certbot command line options

certonly get a certificate but do not install it, we will need to edit the Nginx config file to add the SSL certificate manually
--nginx use the Nginx plugin
-d comma separated list of domains to get a certificate for
-m email address for Let's Encrypt notifications
--agree-tos agree to the ACME Subscriber Agreement terms of service
--no-eff-email do not share your email address with the Electronic Frontier Foundation (EFF)

sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com -m email@yourdomain.com --agree-tos --no-eff-email

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:/etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2022-05-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Nginx server block for HTTPS

Next, we need to edit the website config file, redirect HTTP to HTTPS and add a server block for HTTPS that includes the SSL certificate.

nano /etc/nginx/sites-available/yourdomain.com.conf

# http server block
server {
    listen 80 default_server;
    root /var/www/yourdomain.com/html;
    index index.html;
    server_name yourdomain.com www.yourdomain.com;
    # letsencrypt folder
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/letsencrypt/;
        default_type "text/plain";
        try_files $uri =404;
    }
    # http to https redirect
    location / {
        return 301 https://yourdomain.com$request_uri;
    }
}
# https server block
server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com/html;
    index index.html;
    # ssl certificate
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
}

Check nginx config
nginx -t

Reload nginx
service nginx reload

Let's Encrypt Certificate Auto-renewal

  • Let's Encrypt certificates are only valid for 90 days, so they must be renewed before they expire.
  • When you install Certbot using snap, a scheduled task for automatically renewing certificates is created.
  • The snap Certbot renew task is scheduled to run every 12 hours, but certificates will not be automatically renewed unless they are due to expire in less than 30 days.

# list system scheduled tasks
systemctl list-timers

# check Cerbot renewal timer status
systemctl status snap.certbot.renew.timer

# check Certbot system timer
systemctl cat snap.certbot.renew.timer 

# check the command that snap.certbot.renew runs
cat /etc/systemd/system/snap.certbot.renew.service

#check system logs for snap.certbot.renew
journalctl -u snap.certbot.renew

Test Certificate Renewal

You can use the --dry-run option to test certificate renewal.

certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com -m email@yourdomain.com --agree-tos --no-eff-email --dry-run

The --force-renew option is used to force certificates to renew even if they are not due to expire.

certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com -m email@yourdomain.com --agree-tos --no-eff-email --force-renew

Buy Me A Coffee

References:

Certbot - Nginx on Debian 10
https://certbot.eff.org/instructions?ws=nginx&os=debianbuster

Lets Encrypt - Challenge Types
https://letsencrypt.org/docs/challenge-types

Certbot Documentation
https://eff-certbot.readthedocs.io/en/stable/index.html

ArchWiki - Certbot
https://wiki.archlinux.org/title/Certbot

0
Tags:
Debian Linux Nginx

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 15 June 2026
You can help support this website by buying me a coffee!
Buy Me A Coffee