How to redirect HTTP to HTTPS in Nginx

When I had installed Letsencrypt SSL, it was working fine. Some of the sites were automatically getting redirected from http to https however some some sites, it was not happening. Here is the server block code. Simply copy paste this before your existing server block and it will redirect http to https.


server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}

Please do let me know if this addressed your requirement.

How to generate letsencrypt Wildcard SSL certificate Step-By-Step

In 2017 letsencrypt announced that it will begin issuing wildcard certificates in January of 2018.  While installing it, I faced lots of issues but thanks to letsencrypt community and support, I was able to do it. Here is documentation of whole process which will help you do this quickly.


sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d example.com -d *.example.com --manual --preferred-challenges dns-01 certonly

After you run this command, you need to accept logging your servers IP publicly.

Also, you need to have access to add TXT record in your hosting provider. Here is screenshot of adding TXT record in digital ocean.

Once you add TXT record as required, please wait for 1-3 seconds before hitting enter.

$sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d goingplaces.me -d *.goingplaces.me --manual --preferred-challenges dns-01 certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for goingplaces.me
dns-01 challenge for goingplaces.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.goingplaces.me with the following value:

xxxxxxxxxxxxxx_yyyyyyyyyy_zzzzzzzzzzzzzzzzz

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.goingplaces.me with the following value:

xxxxxxxxxxxxxxxxxxxx_yyyyyyyyyyyy_zzzzzzzzz

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-12-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Above command is run with certonly, meaning you need to add configuration manually in your nginx file.

add below to main server block


 # managed by Certbot

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

and new server block


server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name example.com www.example.com;
    listen 80;
    return 404; # managed by Certbot
}

How to resolve error “The requested nginx plugin does not appear to be installed”

I had installed letsencrypt ssl as per this tutorial and these were working fine, however when I tried to install new certificate I got following error

$ sudo certbot --nginx -d vatadya.com -d www.vatadya.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed

I reinstall PPA from repository ppa:certbot/certbot and reinstalled “python-certbot-nginx”, still it did not resolved the problem. Finally, following installation resolved the error.

$ sudo python3.6 -m pip install certbot-nginx

Once this was installed, following command worked fine

$ sudo certbot --nginx -d example.com -d www.example.com

How to delete or renew Letsencrypt Certificate

I Normally we will let issues certificate to expire as per timeline but sometimes we might have to revoke or delete the SSL certificate. Please follow below steps to do so.

Checking where files are stored.

Let us go to/etc/letsencrypt and you will find following folder structure

/etc/letsencrypt$ ls -la
total 56
drwxr-xr-x  9 root root 4096 Aug 19 17:12 .
drwxr-xr-x 99 root root 4096 Aug 15 06:39 ..
drwx------  4 root root 4096 May  1 12:24 accounts
drwx------  8 root root 4096 Aug 19 12:27 archive
-rw-r--r--  1 root root  121 Mar 21 10:24 cli.ini
drwxr-xr-x  2 root root 4096 Aug 19 12:27 csr
drwx------  2 root root 4096 Aug 19 12:27 keys
drwx------  8 root root 4096 Aug 19 12:27 live
-rw-r--r--  1 root root 1143 May  1 11:50 options-ssl-nginx.conf
drwxr-xr-x  2 root root 4096 Aug 19 12:27 renewal
drwxr-xr-x  5 root root 4096 May  1 11:50 renewal-hooks
-rw-r--r--  1 root root  424 May  1 11:50 ssl-dhparams.pem
-rw-r--r--  1 root root   64 May  1 11:50 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--  1 root root   64 May  1 11:50 .updated-ssl-dhparams-pem-digest.txt

I tried to access account and archive folder but it did not let me

/etc/letsencrypt$ cd accounts/
-bash: cd: accounts/: Permission denied

Let us find where required domains are stored

/etc/letsencrypt$ sudo find /etc/letsencrypt/ -name "*techtrekking*"
/etc/letsencrypt/archive/techtrekking.net
/etc/letsencrypt/live/techtrekking.net
/etc/letsencrypt/renewal/techtrekking.net.conf

Deleting the required certificate

sudo certbot delete is the simple command to delete certificates.

/etc/letsencrypt$ sudo certbot delete 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
-------------------------------------------------------------------------------
1: mydomain.com
2: mydomain.com
3: mydomain.me
4: techtrekking.net
5: mydomain.com
6: mydomain.me
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4

-------------------------------------------------------------------------------
Deleted all files relating to certificate techtrekking.net. ------------------------------------------------------------------------------- 

How to renew letsencrypt certificate manually

Is the simpler that i thought. simply run command sudo certbot renewand it will renew whichever certificate is due for renewal. For others, you will get message that that domain is not due for renewal yet.

/etc/letsencrypt$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.me.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.me.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2018-09-28 (skipped)
  /etc/letsencrypt/live/mydomain.me/fullchain.pem expires on 2018-11-09 (skipped)
  /etc/letsencrypt/live/techtrekking.net/fullchain.pem expires on 2018-09-28 (skipped)
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2018-11-17 (skipped)
  /etc/letsencrypt/live/mydomain.me/fullchain.pem expires on 2018-11-09 (skipped)
No renewals were attempted.