Let's Encrypt with Rails and Nginx

Categories: deployment


Certbot

At the time of this writing ppa:certbot/certbot is using an outdated version of Certbot. For this article, we will be manually installing Certbot Auto from https://dl.eff.org/certbot-auto

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

Allow HTTPS

Allow HTTPS via UFW

sudo ufw allow 'Nginx Full'

Verify Nginx Full is set to ALLOW

sudo ufw status

Let’s Encrypt Certificate

Install Let’s Encrypt Certificate

# --cert-name - Used to give your certificate a name.
# -d - The domains you are including in your SSL cert
# --nginx - will instruct certbot to edit your Nginx config with following:
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

sudo /usr/local/bin/certbot-auto --cert-name example.com -d example.com -d www.example.com --nginx

You will make to make any corrections to your Nginx config incase Certbot broke the layout. After saving your changes, restart Nginx.

sudo systemctl restart nginx

Auto-renewal

Add the following cron job to the default/system crontab.

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null