/ Website Development

Setting Up SSL with Ghost Blog using Lets Encrypt

Recently i build (again) my website using Nginx and VPS hosted at UpCloud.com. So, after i set it up and running well on http, then next step is enable SSL to my site.

My VPS build in UpCloud with 10$/mo plan, that claims the fastest cloud vps:

$ 10 / mo

1 GB Memory
1 CPU Core
30 GB MaxIOPS
2 TB Transfer

More than enough for my private blog. And, then i choose Ubuntu 16.04 LTS for my OS running Ghost Blog and Nginx.

Here we go!

Install

On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 

Let's Get Started

Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:

$ sudo certbot --nginx certonly

This will ask you some question that you have to fill. Go ahead and follow the procedure. You need to fill your valid email address for renewal and security notices.
For this question:
Which names would you like to activate HTTPS for?
Press c to cancel. Since Certbot currently does not support multiple server block/vhost
So we manually add our domain to support multiple server block/vhost.

$ sudo certbot --nginx -d waysquare.com -d www.waysquare.com

Congratulations! You have successfully enabled https://waysquare.com and
https://www.waysquare.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=waysquare.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.waysquare.com


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/waysquare.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/waysquare.com/privkey.pem
   Your cert will expire on 2018-01-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

You are done. The private key files is located at /etc/letsencrypt/live/yoursite.com/

Automating renewal
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
I use systemd for better usage and easy logging.

Lets create unit file both service and timer:
/etc/systemd/system/renew-certbot.service

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --post-hook "/bin/systemctl restart nginx" --agree-tos

/etc/systemd/system/renew-certbot.timer

[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

For more information about certbot renewal go to official certbot renewal documentation=https://certbot.eff.org/docs/using.html#renewal

Enable and start the timer

$ sudo systemctl daemon-reload
$ sudo systemctl start renew-certbot.timer
$ sudo systemctl enable renew-certbot.timer

Starting the timer is necessary because otherwise it wouldn’t be active until the next time you rebooted (assuming it was enabled, that is). You can verify that the timer has been started, its planned execution times, service logs, etc using the following commands:

$ sudo systemctl list-timers
$ sudo journalctl -u renew-certbot
$ sudo journalctl -u renew-certbot --since="yesterday"

Reference:
certbot
systemctl
journalctl