Nginx-Certbot-Debians 1. The Guide

Robert Crowther Apr 2022

Last Modified: Feb 2023

Don’t know if it did before, but Cerbot will work, to some extent, with Debian’s ‘site‐enabled’ configuration structure
Suggested approach: write your Nginx config in ‘/etc/nginx/sites‐available/’
The link code is ‘sudo ln ‐s /etc/nginx/sites‐available/zerohour.com.conf /etc/nginx/sites‐enabled/’

Intro

How Certbot works with Nginx, under Debian and Debian‐hased distributions like Ubuntu. While Cerbot is a gift, the way it works with an operating system has in my experience… evolved. This is difficult for those who do not use it in a day‐job. What is it DOING? And what is Debian doing? I’ll tell you later. I hate faffing about,

Setup

Get your server area, whatever that is, going. Get yourself a user. Get your shell access. This is where we join in.

Get Nginx installed using packaging. Any package, nginx‐light or nginx (by default Debians install nginx‐full),

sudo apt-get install nginx

Check it’s not only installed, but up and running with a service,

sudo systemctl status nginx

And if possible try a URL e.g.

92.236.427.892

Should see a welcome from Nginx. Here’s the first weird,

Don’t touch /etc/nginx/nginx.conf

If you’re experimenting, at least back up the thing. I don’t know a way of regenerating that file. I’m not sure even a ‘purge’ will replace it. If you followed other instructions, it’s not that they are wrong, but that won’t work here. In Part Two I put a copy of the file, may help if you have a real problem.

General server config (optional)

This step is optional. You will take it if you know what you are doing. Or if you want to understand some more.

The directory ‘/etc/nginx/conf.d’ is for server‐wide configuration. Lets put something in there. Config files can be any name e.g. ‘systemwide.config’,

sudo nano /etc/nginx/conf.d/system-wide.conf

If you know what you are doing, go a head. If not, put some small sytem‐wide effect in there for now, build it later. Example: I saw the main file included gzip, so no need for that, but maybe I like the old ‘nosniff’ header,

    # Only Chrome and IE, asks the broswer to honour the server MIME
    add_header X-Content-Type-Options nosniff;

Right, done. Magic command for checking Nginx config is ok,

sudo nginx -t

If so, reload to enable,

sudo systemctl reload nginx

Nginx should still be running.

Certbot install

Certbot’s recommended method. Load Snap,

sudo apt-get install snapd

Update snap.

sudo snap install core; sudo snap refresh core

Snap gets Certbot,

sudo snap install --classic certbot

Link the executable to be runnable,

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This is a long step. Certbot will ask for your email address, then the domains you want to register. Don’t worry if you don’t list all the domains now, list one or two,

sudo certbot --nginx

Check renewal can be done. This is part‐verification all is ok,

sudo certbot renew --dry-run

Check Certbot install has set up a service for auto‐renewing. One of these should contain Certbot references, usually systemctl. If Certbot doesn’t register auto‐renewal, it’s grief,

/etc/crontab/
/etc/cron.*/*
sudo systemctl list-timers

Effects of the Certbot install

In the packaged Nginx installation is a file,

/etc/nginx/sites-available/default

This is intended as a model of how to deploy under Debian. Certbot has altered this,

...
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/heavymud.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/heavymud.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = heavymud.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name heavymud.co.uk;
    return 404; # managed by Certbot
}

Certbot adds the lower server block, a redirect from port 80 (HTTP) to 443 (HTTPS). It then modifies the demonstration SSL server block by writing in the certificate paths Nginx needs for encrypted communication.

Demo or not, this should work. IF you can visit the external IP address, or even have a domain name attached, go look—it will come up encrypted.

Disable the demonstration block

The Debian maintainers promise/threaten they will maintain the demonstration server blocks. They expect you to disable them, and install your own.

To make it function, the demonstration block is symlinked to ‘sites‐enabled’. Remove the symlink,

sudo rm /etc/nginx/sites-enabled/default

Reload Nginx now, you’d see nothing.

Make your own server block

The all‐official way to name this configuration is to use a reverse URL. Any name will work,

sudo nano  /etc/nginx/sites-available/com.zerohour.config

This should be a working port 80 HTTP block. Certbot will change it for you. Don’t try fancy server configuration, do that later. Something like this,

server {
    listen       80 ;
    listen       [::]:80 ;

    root  /usr/share/nginx;

    index index.html index.htm index.nginx-debian.html;
    server_name zerohour.com;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
}

Not done. You got to link it to ‘sites‐enabled’,

sudo ln -s /etc/nginx/sites-available/com.zerohour.config /etc/nginx/sites-enabled/

Check the configuration is ok, reload Nginx,

sudo nginx -t
sudo systemctl reload nginx

You should have a port 80 server.

Run Certbot install against the new server block

You already downloaded certificates. All you need is the install,

sudo certbot install --cert-name zerohour.com

You should have an encrypted web response.

What did the install do?

Same as it did in the demo. When it encounters a working Port 80 server block, that it can match against a certificate, Certbot,

removes references to port 80
at the bottom of the block, writes in the certificate links
Adds a new HTTP to HTTPS server‐redirect block

This is good—I don’t want to rake through a remote filesystem to find those links.

What now?

Ok, there’s ways to go from here.

Wire this server block to something

if you’ve got a Wordpress site or something, now may be the time to point the Nginx that way

Work to make this server block more suited to your website delivery

Nginx config is neat, and there is a lot you can do. That goes from content delivery—would you like to pre‐zip and take weight off Nginx? Or are you geared for rate‐limiting and other server‐hardening exercise?

Add more locations for static files or similar

Like I say, Nginx config is neat. Start wiring them in

Perhaps you need more server blocks?

Most people only need one, but anyway. Write a config file for a new server block, symlink it in, repeat…

Or go to Part Two Hangups and Debian info.

Refs

Nano shortcuts, always useful here,: https://www.nano-editor.org/dist/latest/cheatsheet.html
Certbot, my site is running on… instructions,: https://certbot.eff.org/instructions
LetsEncryt, ‘Getting Started’,: https://letsencrypt.org/getting-started/
Nginx directives index. Thank goodness,: http://nginx.org/en/docs/dirindex.html
Nginx variables index. Thankyou,: http://nginx.org/en/docs/varindex.html

Summary