sajad torkamani

How to add HTTPS to an Nginx website hosted on Digital Ocean

November 3, 2020 (Updated April 20, 2021)

The instructions here are based largely on the official Certbot instructions but adapted for Digital Ocean usage.

Adding HTTPS & SSL support to a website is just one of those boring things that I find myself doing every now and then. To save me time in the future, here's a quick guide that should help me do this brainlessly going forward.

SSH into server as sudo user

We need to be logged in as a sudo user since some of the subsequent commands require sudo privileges.

Install snapd

Refer to the docs for instructions.

Ensure your snapd version is up to date

sudo snap install core; sudo snap refresh core

Remove any Certbot OS packages

Let's remove any existing Certbot command.

sudo apt-get remove certbot

Install Certbot snap

sudo snap install --classic certbot

Prepare Certbot command

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Confirm plugin containment level

Give any Certbot plugins same containment / permission as the Certbot snap.

sudo snap set certbot trust-plugin-with-root=ok

Install Certbot DNS Digital Ocean plugin

sudo snap install certbot-dns-digitalocean

Setup Digital Ocean credentials

Generate an API token from the Applications & API page in your Digital Ocean control panel and take note of it.

Next, create a file at ~/.secrets/certbot/digitalocean.ini and paste in your generated token:

# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = <your_wonderful_token>

Install certificates

Run the following command to acquire and install certificates for example.com and *.example.com (replace with your own domain):

sudo certbot \
  -i nginx \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
  -d example.com \
  -d *.example.com

Note: if you get an error, make sure you run the command from outside /etc/nginx/sites-available or /etc/nginx/sites-enabled (No idea why!) .

This command does a few things:

  • Installs the SSL certificates at /etc/letsencrypt/live
  • Modifies your Nginx server blocks to listen on the SSL port 443
  • Redirects all HTTP requests to HTTPS

You can also choose to only generate the certificates and manually modify your Nginx configs by running sudo certbot certonly followed by the same arguments and flags as above.

The certbot tool is pretty clever so it will interactively prompt you for actions/confirmations when it detects any existing configuration that may be problematic.

That's it! That should work.

Tagged: Nginx