Setting up Letsencrypt with Nginx and Cron

Before Letsencrypt, HTTPS was a hassle. We'd have to purchase a certificate, then installing it was a hassle. For me at least. Then along came Letsencrypt and suddenly the problem was solved! Letsencrypt provides SSL certificates free of charge, and tools that make it very easy to install these certificates.

This tutorial is meant to be an extension of my previous article Deploying a Flask Application in Production (Nginx, Gunicorn, and PM2) which goes over how to set up a basic Flask application with Nginx, Gunicorn, and PM2. This tutorial will go over how to then add HTTPS to that application and how to create a cronjob that updates the certificates every month.

Let's get started!

Step 1: Install Letsencrypt

All right, so first things first we need to actually install Letsencrypt. We do this by cloning the Letsencrypt repo.

cd ~/  
git clone https://github.com/letsencrypt/letsencrypt  

Once the repo is cloned we need to run letsencrypt-auto so we execute the following commands.

cd letsencrypt  
./letsencrypt-auto

This will bootstrap the dependencies for your system.

Step 2: Generating the Certificate

First we have to stop nginx.

sudo service nginx stop  

sudo service nginx stop

./letsencrypt-auto certonly --standalone

This will take you into a Curses GUI menu where you will have to fill out some info about your website.

Great! Now our certificate has been created.

Step 3: Installing the Certificate

The next step is to install our newly created certificate in Nginx.

First let's open up the Nginx config for editing.

sudo vim /etc/nginx/sites-available/default  

We are going to need to add two new server blocks. One that will redirect HTTP requests to HTTPS, and one that will process the HTTPS requests.

The following code is the server block that will redirect all HTTP requests to HTTPS

server {  
    listen 80;
    listen [::]:80;
    server_name mydomain.com www.mydomain.com;
    return 301 https://mydomain.com$request_uri;
}

The following code is the server block for processing HTTPS requests. The location portion will be different depending on what you are trying to do, but the SSL portion will be the same.

server {  
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pe;
    location / {
        proxy_pass http://127.0.0.1:8080 # This portion depends on what you are trying to deploy. Look up tutorials for your specific situation if this doesn't solve your problem.
    }
}

NOTE: Again, be sure to change mydomain.com to the domain you are using.

Finally we must start Nginx again

sudo service nginx start  

And boom we are done! SSL is now enabled on our site. Now all that remains is to setup the cronjob.

Step 4: Automatic Renewals

Letsencrypt certificates only last three months, so we will have to renew them. We can do this by setting up a monthly cron job which will run ./letsencrypt-auto renew for us.

Create a new file in /etc/cron.monthly and call it renew_certs.sh. Now open this file and add the following code:

service nginx stop  
cd ~/letsencrypt/  
./letsencrypt-auto renew
service nginx start  

Save it, and you are good to go!

Now you can focus on the more important things.

Good Luck.

Frankie