Installing SSL on your self hosted site

Aug 24, 2023

This post is a continuation of the previous one about hosting a site from a home server behind CGNAT.

If you follow this previous guide, you’ll get a site running from your home server and accessible from the public internet by using a reverse proxy on a VPS. However, at this point, only HTTP is accessible because no SSL certificate is installed yet. In this one, we’ll go through how to install SSL with automatic certificate renewal.

Install Certbot on your VPS and request SSL

First, log in to your VPS and run these commands to install Certbot:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Then, you can request an SSL certificate for your domain using the following command:

sudo certbot --nginx -d example.com

For my use case, I replaced the example.com with my test subdomain:

sudo certbot --nginx -d test.njeng.at

If this is your first time running the command, you will be prompted to enter your email and agree to the service terms. After doing so, Certbot will fetch the certificate for you, and you should see a result like this:

njengat@njengat-VPS:~$ sudo certbot --nginx -d test.njeng.at
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for test.njeng.at

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.njeng.at/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.njeng.at/privkey.pem
This certificate expires on 2023-11-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for test.njeng.at to /etc/nginx/sites-enabled/test.njeng.at
Congratulations! You have successfully enabled HTTPS on https://test.njeng.at

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Check your site, and SSL should be installed!

SSL installed

Setting up the SSL auto renewal

The SSL that we installed will expire in 90 days:

SSL info

To check if the certbot auto-renewal service is running, use the following command.

sudo systemctl status certbot.timer

You will see a result like this:

njengat@njengat-VPS:~$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2023-08-23 13:24:30 UTC; 15h ago
    Trigger: Thu 2023-08-24 06:58:03 UTC; 1h 42min left
   Triggers: ● certbot.service

Aug 23 04:24:08 njengat-VPS.local systemd[1]: Started Run certbot twice daily.

Lastly, check if the renewal process will run without error with this command:

sudo certbot renew --dry-run

You’re good to go if you don’t see any errors!

© Andhifarij light/dark