sudo snap install core; sudo snap refresh core
sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Adjust the settings to allow for HTTPS traffic. You can see the current setting by typing:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Your status should now look like this:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Create a DNS CAA record:
Type: CAA Data: 0 issue "letsencrypt.org"
Create a folder for LetsEncrypt challenge (this can be used by multiple sites)
sudo mkdir -p /var/www/letsencrypt/.well-known
sudo chgrp www-data -R /var/www/letsencrypt
sudo chmod g+s /var/www/letsencrypt
sudo chmod 750 -R /var/www/letsencrypt
Add the LetsEncrypt folder to Nginx server block
server {
...
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
}
sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com
server {
...
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
...
}