Securing Your Site with Let's Encrypt SSL Using Certbot and Cloudflare on Ubuntu
Enhance the security of your website hosted on an Ubuntu server by using Certbot to issue and manage Let's Encrypt SSL certificates. This tutorial guides you through the installation of Certbot and its plugins for Nginx and Cloudflare, followed by configuring Certbot to automatically verify domain ownership through Cloudflare.
Prerequisites
- An Ubuntu server (18.04, 20.04, or later).
- Nginx installed and configuring at least one domain.
- A Cloudflare account managing the DNS for your domain.
Step 1: Install Certbot and Plugins
Update Package Index
Ensure your Ubuntu package list is up-to-date:
sudo apt update
Install Certbot and the Nginx Plugin
Install Certbot and its Nginx plugin using apt:
sudo apt install certbot python3-certbot-nginx -y
Install the Cloudflare DNS Plugin
Install the Certbot Cloudflare DNS plugin to use DNS records hosted by Cloudflare for domain verification:
sudo apt install python3-certbot-dns-cloudflare -y
Step 2: Configuring Cloudflare API Credentials
Certbot needs permission to access your Cloudflare account to create DNS records for domain verification.
-
Create an API Token in your Cloudflare account under the "API Tokens" section of the "My Profile" page:
- Select "Create Token".
- Use the "Edit zone DNS" template as a starting point.
- Add all zones from your account or specify zones to include.
- Set permissions to "Zone - DNS - Edit".
- Name your token and create it.
-
Create a Configuration File for your Cloudflare credentials on your server:
sudo mkdir /etc/letsencrypt
sudo nano /etc/letsencrypt/.cloudflare.ini
- Add the following content, replacing
your_api_tokenwith your actual Cloudflare API token:
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = your_api_token
- Secure the Credentials File by changing its permissions:
sudo chmod 600 /etc/letsencrypt/.cloudflare.ini
Step 3: Obtain an SSL Certificate
Run Certbot with the Cloudflare DNS plugin to obtain your certificate:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/.cloudflare.ini -d yourdomain.com -d *.yourdomain.com --preferred-challenges dns-01 --dns-cloudflare-propagation-seconds 60
Replace yourdomain.com with your actual domain. You can specify multiple domains and subdomains by adding additional -d parameters.
By doing *.yourdomain.com you are creating a wildcard cert that will work with All subdomains.
Follow the interactive Certbot instructions. If successful, your certificate and keys will be stored in /etc/letsencrypt/live/yourdomain.com/.
Step 4: Configuring Nginx to Use the SSL Certificate
Edit your domain's Nginx configuration file:
Example nginx configs can be found here
sudo nano /etc/nginx/sites-available/yoursite.conf
Ensure there is a server block for HTTPS configured to use the SSL certificate and key:
server {
listen 443 ssl;
server_name sub.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Additional SSL settings...
}
Step 5: Create symlink
Change *.conf to the name of your .conf file you just created.
sudo ln -s /etc/nginx/sites-available/*.conf /etc/nginx/sites-enabled/
Reload Nginx to apply the changes:
sudo systemctl reload nginx
Step 6: Setting Up Automatic Renewal
Let’s Encrypt certificates are valid for 90 days. To automate the renewal, Certbot installs a systemd timer. Verify automatic renewal:
sudo certbot renew --dry-run
If the test is successful, Certbot will renew your certificates automatically.
Conclusion
You've successfully secured your website served by Nginx on Ubuntu using an SSL certificate issued by Let's Encrypt, verified through Cloudflare. This setup not only enhances your site's security but also automates the renewal process, ensuring uninterrupted HTTPS service.
