This post is a continuation of the previous one about hosting a site from a home server behind CGNAT.
If you follow this previous guide, you’ll get a site running from your home server and accessible from the public internet by using a reverse proxy on a VPS. However, at this point, only HTTP is accessible because no SSL certificate is installed yet. In this one, we’ll go through how to install SSL with automatic certificate renewal.
First, log in to your VPS and run these commands to install Certbot:
sudo apt update
sudo apt install certbot python3-certbot-nginx
Then, you can request an SSL certificate for your domain using the following command:
sudo certbot --nginx -d example.com
For my use case, I replaced the example.com with my test subdomain:
sudo certbot --nginx -d test.njeng.at
If this is your first time running the command, you will be prompted to enter your email and agree to the service terms. After doing so, Certbot will fetch the certificate for you, and you should see a result like this:
njengat@njengat-VPS:~$ sudo certbot --nginx -d test.njeng.at
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for test.njeng.at
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.njeng.at/fullchain.pem
Key is saved at: /etc/letsencrypt/live/test.njeng.at/privkey.pem
This certificate expires on 2023-11-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for test.njeng.at to /etc/nginx/sites-enabled/test.njeng.at
Congratulations! You have successfully enabled HTTPS on https://test.njeng.at
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Check your site, and SSL should be installed!
The SSL that we installed will expire in 90 days:
To check if the certbot auto-renewal service is running, use the following command.
sudo systemctl status certbot.timer
You will see a result like this:
njengat@njengat-VPS:~$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2023-08-23 13:24:30 UTC; 15h ago
Trigger: Thu 2023-08-24 06:58:03 UTC; 1h 42min left
Triggers: ● certbot.service
Aug 23 04:24:08 njengat-VPS.local systemd[1]: Started Run certbot twice daily.
Lastly, check if the renewal process will run without error with this command:
sudo certbot renew --dry-run
You’re good to go if you don’t see any errors!