Allowing HTTPS Through the Firewall
Before obtaining an SSL certificate, it’s crucial to ensure that your firewall is configured to allow HTTPS traffic. If you are using UFW (Uncomplicated Firewall), follow these steps:
Check the Current Firewall Status
sudo ufw status
This will show which services are currently allowed. For example, you might see Nginx HTTP allowed, but not Nginx Full, which includes both HTTP and HTTPS.
List Available Applications
sudo ufw app list
Allow HTTPS Traffic
sudo ufw allow 'Nginx Full'
Remove HTTP-Only Rules
sudo ufw delete allow 'Nginx HTTP' sudo ufw delete allow 80
Allow HTTPS Traffic
sudo ufw allow 'Nginx Full'
Verify the Updated Firewall Rules
sudo ufw status
Obtaining an SSL Certificate with Certbot
Certbot automates the process of getting SSL certificates. If you’re using Nginx, Certbot can automatically configure your server to use the certificates.
Obtain a Certificate for Your Domain
sudo certbot --nginx -d example.com -d www.example.com
Manually Obtain a Certificate
sudo certbot certonly --nginx
Verifying and Managing Certificate Renewal
Certbot sets up a cron job or systemd timer to automatically renew your certificates. You can manually check or adjust this process:
Check Your Certificates
sudo certbot certificates
Manually Renew Certificates
sudo certbot renew
Run Renewal in Quiet Mode
sudo certbot renew -q
Test Renewal Process Without Making Changes
sudo certbot renew --dry-run
Verifying Certbot Auto-Renewal
Certbot uses a systemd timer or a cron job to handle automatic renewals.
Check the Status of the Systemd Timer
sudo systemctl status certbot.timer
Enable and Start the Timer
sudo systemctl enable certbot.timer sudo systemctl start certbot.timer
Unmask the Timer
sudo systemctl unmask certbot.timer
List All Timers
systemctl list-timers | grep certbot
Check the Cron Job Configuration
cat /etc/cron.d/certbot
List Existing Cron Jobs
crontab -l
Edit Cron Jobs
crontab -e
Add cron job
0 12 * * * /usr/bin/certbot renew --quiet