🚀 Setting Up SSL with Certbot & Nginx
Secure your website with SSL using Certbot and Nginx. This guide covers installation, obtaining SSL certificates, configuring Nginx, and automating renewals.
📌 Step 1: Installing Certbot & Nginx Plugin
sudo apt install certbot python3-certbot-nginx -y
✅ Step 2: Testing Nginx Configuration
nginx -t
If no errors are displayed, restart Nginx:
systemctl restart nginx
🔒 Step 3: Obtaining an SSL Certificate
Certbot provides multiple options for obtaining and installing SSL certificates. Choose the appropriate method based on your requirements:
🔹 Option 1: Automatic SSL Installation (Recommended)
Certbot will obtain and install the SSL certificate, updating your Nginx configuration automatically:
certbot --nginx -d asifahmadkhan.com -d www.asifahmadkhan.com
🔹 Option 2: Obtain SSL Certificate Only (Manual Nginx Configuration)
Use this if you prefer to modify your Nginx config manually:
certbot --nginx certonly -d asifahmadkhan.com -d www.asifahmadkhan.com
After obtaining the certificate, create a symbolic link for Nginx:
ln -s /etc/nginx/sites-available/asifahmadkhan.conf /etc/nginx/sites-enabled/
Then reload Nginx:
systemctl reload nginx
🔐 Step 4: SSL for Private Servers (Manual DNS Challenge)
If your server is not publicly accessible, use the DNS challenge method:
certbot certonly --manual --preferred-challenges=dns \
--email asifahmadkhanofficial@gmail.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d "asifahmadkhan.com" -d "www.asifahmadkhan.com"
📢 Follow the instructions to add a TXT record in your DNS settings:
_acme-challenge.asifahmadkhan.com. → IYlMA58v4TLhS7Rbs_q6HhffccivLTN70jkjtRTq6fo
Once verified, reload Nginx:
systemctl reload nginx
🌍 Step 5: Obtaining a Wildcard SSL Certificate
🔹 1️⃣ Add an A Record in Cloudflare
A 40.192.37.124 *.asifahmadkhan.com
🔹 2️⃣ Create Nginx Configuration for Wildcard SSL
vi /etc/nginx/sites-available/star.asifahmadkhan.com.conf
Paste the following configuration:
server {
listen [::]:80;
listen 80;
server_name *.asifahmadkhan.com;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name *.asifahmadkhan.com;
ssl_certificate /etc/letsencrypt/live/asifahmadkhan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/asifahmadkhan.com/privkey.pem;
error_log /var/log/nginx/asifahmadkhan.com.error.log;
access_log /var/log/nginx/asifahmadkhan.com.access.log;
root /var/www/html/docs/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
}
}
Create a symbolic link and reload Nginx:
ln -s /etc/nginx/sites-available/star.asifahmadkhan.com.conf /etc/nginx/sites-enabled/
systemctl reload nginx
🔄 Step 6: Automating SSL Renewal with a Cron Job
To renew SSL certificates automatically, edit the crontab:
crontab -e
Add the following line at the end:
0 3 * * * certbot renew --quiet && systemctl reload nginx
This will check for renewal every day at 3 AM and reload Nginx if a certificate is renewed.
🛡️ Summary
✅ Redirects HTTP to HTTPS 🔄
✅ Uses a wildcard SSL certificate to secure all subdomains 🔑
✅ Implements security headers for enhanced protection 🛡️
✅ Automatically renews SSL certificates with a cron job ⏳
🎉 Your website is now secure with SSL from Let's Encrypt! 🔐