Categories InformationTech

Using LetsEncrypt To Secure Multiple Domains With Nginx

To start with this article, (by the way, this article is aiming for devs) you should already know a bit about VPS (Virtual Private Server), Apache vs Nginx, and some basic dev knowledge on server side.

Here are links that will get you started:

1) What is VPS?
2) Apache vs. Nginx
3) Let's Encrypt

 

Purpose – Secure Domains (websites) With free, automated, and open Certificate Authority

A plain English explanation is that “simplify the SSL certificates installation” on domains. The traditional way of secure a domain involves too many tasks and too much workload… also it’s much more expensive. Using “Let’s Encrypt” to secure domains is like a breeze.

It’s very straightforward to secure a single domain on a VPS but it’s going to be a bit setup (not that much though if you know how to) to install multiple SSLs on multiple domains on a single VPS. This article is going to show you how to do that on Nginx since there isn’t a clear writings on the market so far (we are aiming to do this for couple of months already).

You might ask that … how about Apache server? How about multiple domains on one single Apache server? Well… there is a very well written instruction on DigitalOcean on this. You can click the following to check that out,

How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04

Note:
If you are using Ubuntu 16.04, no worries… it’s the same process all the way through ^_^

 

How To Secure Multiple Domains With Nginx?

First, thanks to DigitalOcean, they have been an outstanding outlet providing all sorts of useful server side resources and we can have a peek on the single domain setup from their post as a starting point. You can and should take a look at how to secure a single domain from digitalocean here – How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04. We will use their posts as a main structure to walk you through the multiple domain setups.

Note:


*) You need to install some prerequisites plugins. Please refer to DigitalOcean's post above.

Very first is that you need to set up multiple domains on Nginx. Please refer to Digital Ocean’s – How To Set Up Nginx Server Blocks (Virtual Hosts) on Ubuntu 16.04

Now … we can start talking about installing SSL certificates. Assuming that you have two domains, the first one is “example.com” and the second one is “test.com”.

 

Step 1 — Installing Certbot

Please refer to the Digital Ocean post.

 

Step 2 — Setting up Nginx

Please refer to the Digital Ocean post. And … on the “/etc/nginx/sites-available/” folder, you should be able to see 3 files, “default“, “example.com“, and “test.com“.

Then … we are going to do a bit work on those 3 files,

/etc/nginx/sites-available/default

server {


 listen 80 default_server;
 listen [::]:80 default_server;

root /var/www/html;
 index index.php index.html index.htm index.nginx-debian.html;

server_name xx.xx.xx.xx;

location / {
 try_files $uri $uri/ =404;
 }


}

Note:
The server_name on default file should be your server’s IP address. Replacing xx.xx.xx.xx with your server IP address.

/etc/nginx/sites-available/example.com

server {
 listen 80;
 listen [::]:80;

root /var/www/example.com/html;
 index index.php index.html index.htm index.nginx-debian.html;

server_name example.com www.example.com;

location / {
 try_files $uri $uri/ =404;
 }
}

/etc/nginx/sites-available/test.com

server {
 listen 80;
 listen [::]:80;

root /var/www/test.com/html;
 index index.php index.html index.htm index.nginx-debian.html;

server_name test.com www.test.com;

location / {
 try_files $uri $uri/ =404;
 }
}

 

Then … finishing step 2 following the digital ocean article’s instructions.

Step 3 — Updating the Firewall

Please refer to the Digital Ocean post.

Step 4 — Obtaining an SSL Certificate

Please refer to the Digital Ocean post. Also we are going to install multiple SSL certificates on this step.

Generating the first SSL certificate

sudo certbot --nginx -d example.com -d www.example.com

Generating the second SSL certificate

sudo certbot --nginx -d test.com -d www.test.com

 

Now … we need to modify “/etc/nginx/sites-available/example.com” and “/etc/nginx/sites-available/test.com” files. You will have 2 server blocks on each file.

/etc/nginx/sites-available/example.com

server {
 listen 80;
 listen [::]:80;
 server_name example.com www.example.com;
 return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl http2;
 listen [::]:443 ssl http2;
 include snippets/ssl-example.com.conf;
 include snippets/ssl-params.conf;



location = /favicon.ico { log_not_found off; access_log off; }
 location = /robots.txt { log_not_found off; access_log off; allow all; }
 location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
 expires max;
 log_not_found off;
 }

location ~ /.well-known {
 allow all;
 }

root /var/www/example.com/html;

# Add index.php to the list if you are using PHP
 index index.php index.html index.htm index.nginx-debian.html;

server_name example.com www.example.com;

location / {
 try_files $uri $uri/ /index.php$is_args$args;
 }

# deny access to .htaccess files, if Apache's document root
 # concurs with nginx's one
 #
 location ~ /\.ht {
 deny all;
 }
}

 

/etc/nginx/sites-available/test.com

server {
 listen 80;
 listen [::]:80;
 server_name test.com www.test.com;
 return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl http2;
 listen [::]:443 ssl http2;
 include snippets/ssl-test.com.conf;
 include snippets/ssl-params.conf;



location = /favicon.ico { log_not_found off; access_log off; }
 location = /robots.txt { log_not_found off; access_log off; allow all; }
 location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
 expires max;
 log_not_found off;
 }

location ~ /.well-known {
 allow all;
 }

root /var/www/test.com/html;

# Add index.php to the list if you are using PHP
 index index.php index.html index.htm index.nginx-debian.html;

server_name test.com www.test.com;

location / {
 try_files $uri $uri/ /index.php$is_args$args;
 }

# deny access to .htaccess files, if Apache's document root
 # concurs with nginx's one
 #
 location ~ /\.ht {
 deny all;
 }
}

 

 

Note:

*) You need to have 2 different server blocks on your nginx site-available file(s). One is for http and the other is for https. Otherwise, you will run into a redirect loop.

**) Since Let’s Encrypt updated their Certbot, the server block for the secure connection is a bit different from above. It’s more like what shown below. They will keep updating their software and the look in the configuration might change a bit but the overall concept is the same. You just need to slightly modify it accordingly.

server {
 listen 80;
 listen [::]:80;
 server_name test.com www.test.com;
 return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

root /var/www/test.com/html;
ssl_dhparam /etc/ssl/certs/dhparam.pem;



location = /favicon.ico { log_not_found off; access_log off; }
 location = /robots.txt { log_not_found off; access_log off; allow all; }
 location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
 expires max;
 log_not_found off;
 }

location ~ /.well-known {
 allow all;
 }



# Add index.php to the list if you are using PHP
 index index.php index.html index.htm index.nginx-debian.html;

server_name test.com www.test.com;

location / {
 try_files $uri $uri/ /index.php$is_args$args;
 }

# deny access to .htaccess files, if Apache's document root
 # concurs with nginx's one
 #
 location ~ /\.ht {
 deny all;
 }
}

 

Step 5 — Updating Diffie-Hellman Parameters

Please refer to the Digital Ocean post.

Step 6 — Setting Up Auto Renewal

Please refer to the Digital Ocean post.

 

 

Sum up

It’s quite a bit work but if you follow along with above steps, you shouldn’t have any issues. There are lots of debates regarding which web servers (Apache vs. Nginx) should tech companies use. Our stand is that you should pick one that you feel most comfortable with. For instance, if you are already into Apache, just stick with it… unless you just wanna experiment the new stuff, you don’t need to jump ship to Nginx for some trivial improvements over hugely overwhelming workload guaranteed to be ensuing if you choose to.

 

 

Get start with Digital Ocean to get FREE $10 credit NOW