Create wildcard SSL with Certbot on Ubuntu Linux for Node.js

Installation

Arnav Zek
2 min readDec 6, 2020
sudo apt-get install nginx
sudo apt-get update
sudo apt-get install python3-certbot-nginx
you can also do the installation using snap as recommended by certbot https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

Setup Ngnix

Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your config. It does this by looking for a server_name directive that matches the domain you’re requesting a certificate for.

//Allow through Firewall, ufw stands for uncomplicated firewall
sudo ufw allow 'Nginx Full'
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonlyDeploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command. once u deploy the TXT record wait for 3 mins atlest before startting verification because deployment of DNS record takes time//check certificate exists
sudo certbot certificates

Open configuration of Nginx

sudo nano /etc/nginx/sites-available/default

Add the following directive

server {
listen 80;
listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}

// The above block redirects all http requests to https
server {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
//the certificate won't work for example.com, so the following server context redirect all requests to example.com to www.example.comserver {
server_name .example.com;
return 301 http://www.example.com$request_uri;
}
//we could have also done the above job with if statement but it shows inconsistent behaviour (but only in the location context)

301 means permanently moved

sever block is chosen by matching host header with server name

listen:80 means the server is listening at port 80 for incoming requests

Then reload Nginx with the following command

sudo systemctl reload nginx

But this won’t auto-renew, u will have to repeat the process (except the Nginx configuration part) every 3 months

How to remove certificates?

When deleting SSL certificates, it’s not about deleting merely one file manually. You would need to go through at least the following directories and delete the files associated with the domain name.

  • /etc/letsencrypt/archive
  • /etc/letsencrypt/live
  • /etc/letsencrypt/renewal

Method 1


#This command will offer an index from which you can select the domain name to delete
sudo certbot delete

Method 2

# Show the list of certificates 
certbot certificates
# Remove certificates for a given domain
sudo certbot delete --cert-name $mydomain

You will also have to remove SSL directive from

etc/nginx/sites-available/default

--

--