Navigating the Configuration Journey: Wildcard DNS, Nginx Ubuntu Environment, and Let's Encrypt SSL Certificates
- Ctrl Man
- Web Security , Server Configuration
- 18 Sep, 2024
Article: “Navigating the Configuration Journey: Wildcard DNS, Nginx Ubuntu Environment, and Let’s Encrypt SSL Certificates”
Introduction
As a web server administrator or developer, securing your site with an SSL certificate is crucial for maintaining user trust and ensuring that data transmitted between the server and client remains private. The process of obtaining and configuring such a certificate can be particularly intricate when dealing with wildcard DNS configurations on a Ubuntu-based environment running Nginx. This article guides you through setting up a Let’s Encrypt SSL certificate, complete with wildcard support, for your web server hosted on Hetzner Cloud.
Step 1: Installing Certbot
The first step in securing your web server involves installing Certbot, the popular command-line tool provided by the Electronic Frontier Foundation (EFF) that automates SSL certificate installation and management. Ensure you have apt updated before proceeding:
sudo apt update
With apt ready, install Certbot with a single command:
sudo apt install certbot
Step 2: Manual DNS-01 Challenge
When using your own DNS configurator for wildcard certificates, you must manually handle the DNS-01 challenge. This involves creating temporary TXT records that validate ownership of the domain.
Initiate the Challenge
Run Certbot to initiate a manual DNS-01 challenge:
sudo certbot certonly --manual --preferred-challenges dns -d 'ctrlman.dev' -d '*.ctrlman.dev'
Certbot will prompt you for DNS TXT record details that need to be created.
Create the DNS TXT Record
Follow the on-screen instructions provided by Certbot. This involves creating a TXT record under _acme-challenge.ctrlman.dev with a randomly generated value:
Please deploy a DNS TXT record under the name _acme-challenge.ctrlman.dev with the following value:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Before continuing, verify that this record has been created.
Verify and Complete the Challenge
After creating the TXT record, Certbot will provide another prompt. Press Enter to continue.
Certbot validates the DNS TXT record’s existence before finalizing the certificate issuance.
Step 3: Configure Your Web Server
Once you’ve obtained your certificate with the key stored at /etc/letsencrypt/live/ctrlman.dev/fullchain.pem and the private key at "/etc/letsencrypt/live/ctrlman.dev/privkey.pem", it’s time to configure Nginx.
Copy Certificates and Keys
Copy the renewed SSL certificates and keys from their location:
sudo cp /etc/letsencrypt/live/ctrlman.dev/fullchain.pem /etc/nginx/ssl/fullchain.pem
sudo cp /etc/letsencrypt/live/ctrlman.dev/privkey.pem /etc/nginx/ssl/privkey.pem
Update Permissions
Ensure the files are readable and not executable by others:
sudo chmod 644 /etc/nginx/ssl/fullchain.pem
sudo chmod 600 /etc/nginx/ssl/privkey.pem
Update Nginx Configuration
Update your nginx configuration to reference the new SSL files. For instance, in /etc/nginx/sites-available/default, add or modify the following lines:
server {
listen 443 ssl;
server_name ctrlman.dev *.ctrlman.dev;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
}
Test and Reload Nginx
Before reloading, test the configuration for any syntax errors:
sudo nginx -t
If all is well, reload your server to apply the new SSL settings:
sudo systemctl reload nginx
Step 4: Automate Certificate Renewal
To automate certificate renewal and ensure seamless updates without manual intervention, set up a script that runs after Certbot completes its process. This script will copy the renewed files and reload Nginx.
Create the Renewal Hook Script
Create renew_and_reload_nginx.sh in /usr/local/bin, updating it with:
#!/bin/bash
# Copy renewed certificate and key to the SSL directory
cp /etc/letsencrypt/live/ctrlman.dev/fullchain.pem /etc/nginx/ssl/fullchain.pem
cp /etc/letsencrypt/live/ctrlman.dev/privkey.pem /etc/nginx/ssl/privkey.pem
# Ensure appropriate permissions for reloading Nginx without error
chmod 644 /etc/nginx/ssl/fullchain.pem
chmod 600 /etc/nginx/ssl/privkey.pem
# Reload Nginx to apply new SSL settings
systemctl reload nginx
Make the script executable:
sudo chmod +x /usr/local/bin/renew_and_reload_nginx.sh
Configure Certbot to Invoke Renewal Hook
Edit your Certbot renewal configuration file (ctrlman.dev.conf) to include a renewal hook that executes renew_and_reload_nginx.sh after the certificate renew:
renew_hook = /usr/local/bin/renew_and_reload_nginx.sh
Test and Implement Automation
Test the automated renewal process by executing a dry run of Certbot’s renewal command:
sudo certbot renew --dry-run
Once satisfied, implement this automation for smooth certificate management.
Conclusion
Navigating the process of obtaining and configuring SSL certificates with wildcard DNS on Nginx can be challenging but rewarding. By following these steps, you ensure that your web server is secure and efficiently managed, protecting user data while maintaining a seamless user experience. Remember to keep an eye on renewal dates and automate tasks whenever possible to maintain optimal security practices without manual intervention.
