# Let's Encrypt ## Working with NGINX configs locally Sync your local file to the server (run after every update) ```bash rsync -rtvpl path/to/local/leviolson.com.conf base-droplet:/etc/nginx/sites-available/ ``` Create a symlink in nginx `sites-enabled` ```bash ssh base-droplet ln -s /etc/nginx/sites-available/leviolson.com.conf /etc/nginx/sites-enabled/ ``` Restart Nginx after each `rsync` command ```bash ssh base-droplet sudo service nginx restart ``` ## Setup NGINX for cert creation Nginx must be minimally configured at this point to allow port 80 to work and not fail trying to access port 443 or redirecting you. Our main nginx config (below) tries to redirct to HTTPS which would cause Let's Encrypt to fail. ```nginx server { listen 80; server_name leviolson.com www.leviolson.com; location / { proxy_pass http://localhost:3000; # port must match the same as the node app proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } ``` Sync this file: ```bash rsync -rtvpl ./leviolson.com.conf base-droplet:/etc/nginx/sites-available/ ``` Restart Nginx: ```bash ssh base-droplet sudo service nginx restart ``` ## Create the cert ```bash sudo certbot certonly --nginx --manual -d leviolson.com -d www.leviolson.com ``` This will start the process of generating a cert for the two domain names provided. As part of that process it will look for `.well-known/acme-challenge/{file}` where `{file}` is provided by the command output. The contents of that file are provided as well. Something like the following will create this file for you: ```bash echo "long string provided" > {file} ``` After creating the file(s), you can complete the cert process and at that point you need to change the nginx conf file. ## NGINX final state ```nginx server { if ($host = www.leviolson.com) { return 301 https://leviolson.com$request_uri; } server_name leviolson.com www.leviolson.com; location / { proxy_pass http://localhost:3000; # port must match the same as the node app proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/leviolson.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/leviolson.com-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = leviolson.com) { return 301 https://$host$request_uri; } if ($host = www.leviolson.com) { return 301 https://leviolson.com$request_uri; } server_name leviolson.com www.leviolson.com; listen 80; return 404; } ``` You'll want to verify the location of the `*.pem` files linked in the nginx config above. ```bash ssh base-droplet ls -al /etc/letsencrypt/live/leviolson.com-0001/ ``` This should return something like the following: ``` total 12 drwxr-xr-x 2 root root 4096 Jul 20 18:14 . drwxr-xr-x 7 root root 4096 Jul 20 19:21 .. lrwxrwxrwx 1 root root 42 Jul 20 18:14 cert.pem -> ../../archive/leviolson.com-0001/cert1.pem lrwxrwxrwx 1 root root 43 Jul 20 18:14 chain.pem -> ../../archive/leviolson.com-0001/chain1.pem lrwxrwxrwx 1 root root 47 Jul 20 18:14 fullchain.pem -> ../../archive/leviolson.com-0001/fullchain1.pem lrwxrwxrwx 1 root root 45 Jul 20 18:14 privkey.pem -> ../../archive/leviolson.com-0001/privkey1.pem -rw-r--r-- 1 root root 692 Jul 20 18:14 README ``` Sync this file: ```bash rsync -rtvpl ./leviolson.com.conf base-droplet:/etc/nginx/sites-available/ ``` Restart Nginx: ```bash ssh base-droplet sudo service nginx restart ``` ## Some helpful debugging commands ```bash pm2 status ``` ```bash journalctl -xe ``` ```bash sudo ufw status ``` This should include the port you are serving if you wish to have that port accessible to the public as well.