How to add HTTPS to an Nginx website hosted on Digital Ocean
The instructions here are based largely on the official Certbot instructions but adapted for Digital Ocean usage.
Adding HTTPS & SSL support to a website is just one of those boring things that I find myself doing every now and then. To save me time in the future, here's a quick guide that should help me do this brainlessly going forward.
SSH into server as sudo user
We need to be logged in as a sudo user since some of the subsequent commands require sudo privileges.
Install snapd
Refer to the docs for instructions.
Ensure your snapd version is up to date
sudo snap install core; sudo snap refresh core
Remove any Certbot OS packages
Let's remove any existing Certbot command.
sudo apt-get remove certbot
Install Certbot snap
sudo snap install --classic certbot
Prepare Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Confirm plugin containment level
Give any Certbot plugins same containment / permission as the Certbot snap.
sudo snap set certbot trust-plugin-with-root=ok
Install Certbot DNS Digital Ocean plugin
sudo snap install certbot-dns-digitalocean
Setup Digital Ocean credentials
Generate an API token from the Applications & API page in your Digital Ocean control panel and take note of it.
Next, create a file at ~/.secrets/certbot/digitalocean.ini
and paste in your generated token:
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = <your_wonderful_token>
Install certificates
Run the following command to acquire and install certificates for example.com
and *.example.com
(replace with your own domain):
sudo certbot \
-i nginx \
--dns-digitalocean \
--dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \
-d example.com \
-d *.example.com
Note: if you get an error, make sure you run the command from outside /etc/nginx/sites-available
or /etc/nginx/sites-enabled
(No idea why!) .
This command does a few things:
- Installs the SSL certificates at
/etc/letsencrypt/live
- Modifies your Nginx
server
blocks to listen on the SSL port 443 - Redirects all HTTP requests to HTTPS
You can also choose to only generate the certificates and manually modify your Nginx configs by running sudo certbot certonly
followed by the same arguments and flags as above.
The certbot tool is pretty clever so it will interactively prompt you for actions/confirmations when it detects any existing configuration that may be problematic.
That's it! That should work.