sajad torkamani

Add HTTPS to an Nginx website hosted on Digital Ocean

11 March 2022 (Updated 10 March 2024)
On this page
SSH into server as sudo user
Install snapd
Ensure your snapd version is up to date
Remove any Certbot OS packages
Install Certbot snap
Prepare Certbot command
Confirm plugin containment level
Install Certbot DNS Digital Ocean plugin
Setup Digital Ocean credentials
Install certificates
Sources

SSH into server as sudo user

You need to be logged in as a sudo user since some of the subsequent commands require sudo privileges.

Install snapd

Install snapd if you haven’t already. Ubuntu 18.04 and up should already have it installed.

Ensure your snapd version is up to date

sudo snap install core; sudo snap refresh core

Remove any Certbot OS packages

Let’s remove any existing Certbot command.

sudo apt-get remove certbot

Install Certbot snap

sudo snap install --classic certbot

Prepare Certbot command

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Confirm plugin containment level

Give any Certbot plugins same containment / permission as the Certbot snap.

sudo snap set certbot trust-plugin-with-root=ok

Install Certbot DNS Digital Ocean plugin

sudo snap install certbot-dns-digitalocean

Setup Digital Ocean credentials

Generate an API token from the Applications & API page in your Digital Ocean control panel, give it both Read and Write permissions, and take note of it.

Next, create a file at ~/.secrets/certbot/digitalocean.ini and paste in your generated token:

# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = <your_wonderful_token>

Restrict ownership of file:

chmod 600 ~/.secrets/certbot/digitalocean.ini

Install certificates

Run the following command to acquire and install certificates for example.com and *.example.com (replace with your own domain):

sudo certbot \
  -i nginx \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
  -d example.com \
  -d *.example.com

Note: if you get an error, make sure you run the command from outside /etc/nginx/sites-available or /etc/nginx/sites-enabled (No idea why!) .

This command does a few things:

  • Installs the SSL certificates at /etc/letsencrypt/live
  • Configures your Nginx config to listen on the SSL port 443
  • Configures your Nginx config to redirect all HTTP requests to HTTPS

You can also choose to only generate the certificates and manually modify your Nginx configs by running sudo certbot certonly followed by the same arguments and flags as above.

The certbot tool is pretty clever so it will interactively prompt you for actions/confirmations when it detects any existing configuration that may be problematic.

Sources

Tagged: Nginx