In this article, I’ll show how to install a free SSL certificate with Let’s Encrypt for Rails 7 using Nginx + Passenger on Ubuntu 22.04 (Jammy Jellyfish).
Steps:
- Register domain, create server, edit domain DNS to point the domain to the server (out of scope of the article).
- Install Certbot as a snap package.
- Install a certificate, update nginx config, and check certificate renewal cron job.
Let's Encrypt is a non-profit (sponsored by various companies: https://letsencrypt.org/sponsors/) certificate authority that provides free SSL/TLS certificates for enabling encrypted HTTPS connections on websites. These certificates are crucial for securing web traffic by encrypting data transmitted between a web server and a user's browser, thus helping to protect sensitive information such as login credentials, payment details, and personal data.
Let's Encrypt was launched in 2015 by the Internet Security Research Group (ISRG) in collaboration with major technology companies, non-profit organizations, and academic institutions.
There is a guide from the Certbot for Ubuntu 20.04:
https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal
More on Certbot:
https://github.com/certbot/certbot
Download the package lists:
sudo apt update
Download and install packages:
sudo apt upgrade
More on apt update and apt upgrade:
- https://askubuntu.com/questions/222348/what-does-sudo-apt-get-update-do
- https://linux.die.net/man/8/apt-get
Install snapd package to work with the snap package manager:
sudo apt install snapd
Apt vs snap:
https://www.reddit.com/r/Ubuntu/comments/a364ii/proscons_of_snap_vs_apt/
Install Certbot snap package:
sudo snap install --classic certbot
With --classic you instruct snap to install Certbot package in a classic confinement. It allows it greater access to system resources, which is important for Certbot as it may need to interact with system-level components to effectively manage SSL certificates.
More on --classic:
- https://askubuntu.com/questions/917049/what-is-the-classic-mode-of-snap-and-why-do-some-snaps-not-install-without-it
- https://ubuntu.com/blog/how-to-snap-introducing-classic-confinement
Install and update core snap package:
sudo snap install core; sudo snap refresh core
It’s important to ensure the core snap runtime is up to date (for latest security updates, etc.).
Let’s symlink to simplify how you can execute certbot command without specifying the full path to the binary file:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Install certificate and automatically update nginx config:
sudo certbot --nginx -d example.com -d www.example.com
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): your@mail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for example.com and www.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2024-06-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for example.com to /etc/nginx/sites-enabled/default
Successfully deployed certificate for www.example.com to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://example.com and https://www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
It will:
- Install certificates for specified domains.
- Configure nginx config (etc/nginx/sites-available/config-name).
Renewal cron job
As you see, it says "Certbot has set up a scheduled task to automatically renew this certificate in the background”.
Let’s Encrypt’s certificates are valid for 90 days. It makes sense to automate certificate renewal process. The Certbot package takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
Let’s check the status of a system service:
sudo systemctl status snap.certbot.renew.service
And to emulate cert renewal:
sudo certbot renew --dry-run
Output
○ snap.certbot.renew.service - Service for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer
Active: inactive (dead) — is not a problem. It'll run whenever it's scheduled to, Certbot isn't a continuously running process.
But if you have to work with crontab for some reason you’ll need command:
sudo crontab -e
And at the bottom of the file add:
30 3 * * 1 /usr/bin/certbot renew
Save and close. This root user cron job will attempt to update the cert every Monday at 3:30 am.
Useful tool to generate cron schedule expressions:
https://crontab.guru/
The end.