Skip to main content

Part 2: How to install Wildcard SSL to Nginx Load Balancer on Ubuntu 18.04 LTS ?

In previous tutorial We already installed and secured our Nginx Load Balancer. In this part, We are going to use Let's Encrypt Wildcard SSL for our domain. It is a free, automated, and open Certificate Authority. That means you do not need to pay charges for SSL Certificate. 


Once you are logged in to your server, you need to install certbot to process further. (Certbot is not available in the default ubuntu repository.) Run the below command to add ppa repository.
# sudo add-apt-repository ppa:certbot/certbot
# apt update -y
# apt list --upgradable
# apt upgrade -y
# sudo apt install certbot
# apt-cache policy certbot | grep -i Installed 
Generate 2048 bits Wildcard SSL for rubelhossain.com
# certbot certonly --manual --preferred-challenges=dns --email rubeldonarman@gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.rubelhossain.com -d rubelhossain.com 
Now you need to press Yes and verify TXT records at DNS Level
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for rubelhossain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.rubelhossain.com with the following value:

lmGvPRdR2f6dSZRgmZ3LdKFEL2eEo6aK_HXRVe41SLk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rubelhossain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rubelhossain.com/privkey.pem
   Your cert will expire on 2021-08-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 
Verify DNS Record 

Now you need Build the proper Intermediate CA plus Root CA . Create new SSL Nginx Block, Disable the following lines and add https redirection  
# cp -a /etc/nginx/conf.d/rubelhossain.com.conf /etc/nginx/conf.d/rubelhossain.com.ssl.conf

# vi /etc/nginx/conf.d/rubelhossain.com.conf
#upstream rubel {
        #server 10.0.0.6;
        #server 10.0.0.7;
        #server 10.0.0.12;
        #server 10.0.0.13;
#    }

    server {
        listen      80;
        listen      [::]:80;
        server_name rubelhossain.com www.rubelhossain.com;
        #access_log /var/log/nginx/rubelhossain.com.bytes bytes;
        #access_log /var/log/nginx/rubelhossain.com.log combined;
        #error_log /var/log/nginx/rubelhossain.com.error.log error;


        location / {
                return 301 https://$server_name$request_uri;
                #proxy_redirect      off;
                #proxy_set_header    X-Real-IP $remote_addr;
                #proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                #proxy_set_header    Host $http_host;
                #proxy_pass http://rubel;
        }
}
Edit Nginx SSL block with the followings
# vi /etc/nginx/conf.d/rubelhossain.com.ssl.conf

upstream rubel {
        server 10.0.0.6;
        server 10.0.0.7;
        server 10.0.0.12;
        server 10.0.0.13;
    }

    server {
        listen      443 ssl http2;
        listen      [::]:443;

        include     /etc/nginx/ssl/lets-encrypt/rubel/rubelhossain.conf;

        server_name rubelhossain.com www.rubelhossain.com;
        #access_log /var/log/nginx/rubelhossain.com.bytes bytes;
        access_log /var/log/nginx/rubelhossain.com.log combined;
        error_log /var/log/nginx/rubelhossain.com.error.log error;


        location / {
                proxy_redirect      off;
                proxy_set_header    X-Real-IP $remote_addr;
                proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header    Host $http_host;
                proxy_pass http://rubel;
        }
}
Include your SSL path, save it, check Nginx syntax and don't forget restart Nginx
# vi /etc/nginx/ssl/lets-encrypt/rubel/rubelhossain.conf
ssl_certificate         /etc/letsencrypt/live/rubelhossain.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/rubelhossain.com/privkey.pem;
Visit SSLShopper and check your certificate chain: https://www.sslshopper.com/ssl-checker.html#hostname=www.rubelhossain.com.


We have generated 2048 bits SSL which is faster than 4096 bits. Auto Renewal Let's Encrypt SSL Certificate Script
Generate 4096 bits Wildcard SSL for rubelhossain.com
# certbot certonly --manual --preferred-challenges=dns --email rubeldonarman@gmail.com --rsa-key-size 4096 --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.rubelhossain.com -d rubelhossain.com 
SSL Log: /var/log/letsencrypt/letsencrypt.log
Configuration File: /etc/letsencrypt/renewal/rubelhossain.com.conf

Comments