Certbot

Today, it's really important to have HTTPS website, it's a trust mark, and it's now really easy to obtain it thanksful to Let's Encrypt which provides TLS certificate freely. You have some other projects like SSL For Free. With Shell access, you can use Certbot to install Certbot on your server to create and renew certificates. Just follow steps, enter software and sytem and you will obtain some commands to install this amazing tool.

You have to select websites and you will can choose if you want an automatic redirection to HTTPS (it's a good idea). If you add any website after this, just execute command again. Certificates have a lifetime, you have to renew it after some weeks with just same command. Certbot will update NGINX configuration for all selected websites, it will add HTTPS management, careful if you modify it after. But if you broke HTTPS config, remove all which Certbot add and re execute certbot command.

You can install snap or use Python (personaly I dislike snap, so I install with Python).

Optional: install snap on Debian

sudo apt update
sudo apt install snapd
sudo snap install core

Install certbot

snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
python
sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface
sudo apt install python3-certbot-nginx
sudo ufw status

Execute certbot

sudo certbot --nginx

Automatic renewal

sudo crontab -e

Add this line

0 3 * * * /usr/bin/certbot renew --quiet

Clean script

sudo vim /usr/local/bin/clean

#!/bin/bash

sudo rm -rf /var/log/*.gz
sudo rm -rf /var/log/nginx/*.gz
docker system prune -af
sudo journalctl --vacuum-size=30M
sudo sh -c 'rm -rf /var/lib/snapd/cache/*'

sudo chmod +x /usr/local/bin/clean

Add to cron

sudo crontab -e

0 1 * * * sh /usr/local/bin/clean

Misc

And follow the guide, I advice to choose Redirect when certbot ask about it, it's more secure.

If you want to keep /etc/nginx/sites-available/default, update server_name _ to server_name your-domain.com. It can generate some errors if you keep original config and certbot will skill this config.
/etc/nginx/sites-available/default
server {
  listen 80 default_server;

  root /var/www/html;

  index index.html index.htm index.nginx-debian.html;

- server_name _;
+ server_name dev.ewilan-riviere.com;

  # ...
}

HTTP/2

server {
  listen [::]:80 http2;
  listen 80 http2;
  # ...
}

If you use Certbot to enable HTTPS, you have to add manually htpp2

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  # ...
}

Check if a website use HTTP/2

curl -I -L https://bookshelves.ink

If you use NGINX version 1.22.0 or higher.

server {
  listen [::]:80;
  listen 80;

  http2 on;
  # ...
}
Edit this page on GitHub
Table of Contents