The Essential Guide to Domain Setup and SSL Security

vijeth-simha

Vijeth Simha

Posted on January 19, 2024

The Essential Guide to Domain Setup and SSL Security

Thank you for taking the time to read this post.

In my last post, I discussed automating the deployment process using GitHub CI/CD. Building on that topic, this post will delve into how to connect your domain and attach SSL.

Before proceeding, I highly recommend checking the previous articles in the deployment series, as this post is a continuation of the previous two.

With that said, let's dive in.

Table of contents

Attach Domain

The first step is to edit the existing Nginx configuration file. You can do this by opening the file in a text editor, such as nano, with the following command

sudo nano /etc/nginx/sites-available/<<YOUR_PROJECT_NAME>>
Enter fullscreen mode Exit fullscreen mode

Note: For the following step to work, you must point your domain to the DigitalOcean IP address, or else the domain connection won't work.

Add your domain to the configuration as shown below.

server {
    listen 80;
    server_name <<your_domain_name>>;

    location / {
        proxy_pass http://localhost:<<YOUR_NODE_JS_PORT>>;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
Enter fullscreen mode Exit fullscreen mode

Replace <<your_domain_name>> with your domain name and <<YOUR_NODE_JS_PORT>> with the port number where your Node.js app is running.

You can test the configuration by running below command.

sudo nginx -t
Enter fullscreen mode Exit fullscreen mode

If you encounter an error, reopen the server block file and carefully review it for any typos or missing characters. After ensuring that your configuration file's syntax is correct, you should reload Nginx to apply the new configuration by running below command

sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

Back to top

Attach SSL

The first step in using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server. Execute the following command to do so.

sudo apt install certbot python3-certbot-nginx
Enter fullscreen mode Exit fullscreen mode

If you have a firewall enabled, you'll need to adjust its settings to allow HTTPS traffic. Fortunately, Nginx registers several profiles with UFW (Uncomplicated Firewall) upon installation. You can check the current firewall status with

sudo ufw status
Enter fullscreen mode Exit fullscreen mode

To allow HTTPS traffic, enable the 'Nginx Full' profile, which covers both HTTP and HTTPS. This step makes the separate 'Nginx HTTP' profile redundant, so you can remove it

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Enter fullscreen mode Exit fullscreen mode

After these changes, verify the updated firewall status by running

sudo ufw status
Enter fullscreen mode Exit fullscreen mode

The status should now show as 'active', similar to the example in the image below.

Image description

Certbot offers several methods to obtain SSL certificates, facilitated by its plugins. The Nginx plugin, in particular, is designed to automatically reconfigure Nginx and reload its configuration as needed. To utilize this plugin, enter the following command

sudo certbot --nginx -d <<your_domain_name>>
Enter fullscreen mode Exit fullscreen mode

Ensure you replace <<your_domain_name>> with your actual domain name.

When you run this command, Certbot will prompt you for several pieces of information:

  1. Email Address: For important notifications related to your SSL certificate.

  2. Terms and Conditions Acceptance: You'll need to agree to the Let's Encrypt terms of service.

  3. Redirection Details: Certbot will ask whether you want to redirect HTTP traffic to HTTPS, effectively enforcing a secure connection.

Let’s Encrypt's certificates have a validity period of ninety days. This relatively short duration is intentional, aimed at encouraging users to automate the process of certificate renewal.

Fortunately, the certbot package, which we've already installed, simplifies this process. It adds a systemd timer to your system, configured to run twice daily. This timer automatically renews any certificate that's within thirty days of expiration.

You can query the status of the timer with systemctl

sudo systemctl status certbot.timer
Enter fullscreen mode Exit fullscreen mode

You will get output as the image below.

Image description

To test the renewal process without making any actual changes, you can perform a dry run with certbot using the following command

sudo certbot renew --dry-run
Enter fullscreen mode Exit fullscreen mode

If the dry run completes without any errors, you're all set. Certbot will handle the renewal of your certificates and will ensure that Nginx is reloaded to apply the changes.

In the event that the automated renewal process encounters an issue, Let’s Encrypt will send a notification to the email address you provided. This notification will serve as a warning, alerting you when your certificate is nearing its expiration date.

That's it for this guide.

Thank you so much for reading through to the end!.

Back to top

Finally

As you embark on this journey, feel free to use my project as a practical example to follow along with the steps outlined above.

Should you encounter any challenges or have questions during the process, please don't hesitate to leave a comment below.

Feel free to reach out to me on

Back to top

💖 💪 🙅 🚩
vijeth-simha
Vijeth Simha

Posted on January 19, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related