Create wildcard SSL with Certbot on Ubuntu Linux for Node.js
sudo apt-get install nginx
sudo apt-get update
sudo apt-get install python3-certbot-nginxyou can also do the installation using snap as recommended by certbot https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx
Setup Ngnix
Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server
block in your config. It does this by looking for a server_name
directive that matches the domain you’re requesting a certificate for.
//Allow through Firewall, ufw stands for uncomplicated firewall
sudo ufw allow 'Nginx Full'sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonlyDeploy a DNS TXT record provided by Let’s Encrypt certbot after running the above command. once u deploy the TXT record wait for 3 mins atlest before startting verification because deployment of DNS record takes time//check certificate exists
sudo certbot certificates
Open configuration of Nginx
sudo nano /etc/nginx/sites-available/default
Add the following directive
server {
listen 80;
listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
// The above block redirects all http requests to httpsserver {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}//the certificate won't work for example.com, so the following server context redirect all requests to example.com to www.example.comserver {
server_name .example.com;
return 301 http://www.example.com$request_uri;
}//we could have also done the above job with if statement but it shows inconsistent behaviour (but only in the location context)
301 means permanently moved
sever block is chosen by matching host header with server name
listen:80 means the server is listening at port 80 for incoming requests
Then reload Nginx with the following command
sudo systemctl reload nginx
But this won’t auto-renew, u will have to repeat the process (except the Nginx configuration part) every 3 months
How to remove certificates?
When deleting SSL certificates, it’s not about deleting merely one file manually. You would need to go through at least the following directories and delete the files associated with the domain name.
- /etc/letsencrypt/archive
- /etc/letsencrypt/live
- /etc/letsencrypt/renewal
Method 1
#This command will offer an index from which you can select the domain name to deletesudo certbot delete
Method 2
# Show the list of certificates
certbot certificates # Remove certificates for a given domain
sudo certbot delete --cert-name $mydomain
You will also have to remove SSL directive from
etc/nginx/sites-available/default