The instructions here are based largely on the official Certbot instructions but adapted for Digital Ocean usage.
Adding HTTPS & SSL support to a website is just one of those boring things that I find myself doing every now and then. To save me time in the future, here's a quick guide that should help me do this brainlessly going forward.
SSH into server as sudo user
We need to be logged in as a sudo user since some of the subsequent commands require sudo privileges.
Refer to the docs for instructions.
Ensure your snapd version is up to date
sudo snap install core; sudo snap refresh core
Remove any Certbot OS packages
Let's remove any existing Certbot command.
sudo apt-get remove certbot
Install Certbot snap
sudo snap install --classic certbot
Prepare Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Confirm plugin containment level
Give any Certbot plugins same containment / permission as the Certbot snap.
sudo snap set certbot trust-plugin-with-root=ok
Install Certbot DNS Digital Ocean plugin
sudo snap install certbot-dns-digitalocean
Setup Digital Ocean credentials
Generate an API token from the Applications & API page in your Digital Ocean control panel and take note of it.
Next, create a file at
~/.secrets/certbot/digitalocean.ini and paste in your generated token:
# DigitalOcean API credentials used by Certbot dns_digitalocean_token = <your_wonderful_token>
Run the following command to acquire and install certificates for
*.example.com (replace with your own domain):
sudo certbot \ -i nginx \ --dns-digitalocean \ --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini \ -d example.com \ -d *.example.com
Note: if you get an error, make sure you run the command from outside
/etc/nginx/sites-enabled (No idea why!) .
This command does a few things:
- Installs the SSL certificates at
- Modifies your Nginx
serverblocks to listen on the SSL port 443
- Redirects all HTTP requests to HTTPS
You can also choose to only generate the certificates and manually modify your Nginx configs by running
sudo certbot certonly followed by the same arguments and flags as above.
The certbot tool is pretty clever so it will interactively prompt you for actions/confirmations when it detects any existing configuration that may be problematic.
That's it! That should work.