How to Secure Nginx with Let’s Encrypt on Debian 12

Introduction

Before we begin talking about how to secure Nginx with Let’s Encrypt on Debian 12, let's briefly understand – What is Let’s Encrypt?

Let's Encrypt is a free, automated, and open certificate authority that provides secure HTTPS certificates. It allows website owners to encrypt their visitors' connections without any cost. Let's Encrypt is backed by major organizations like Mozilla, EFF, and Cisco, ensuring security and compatibility.

With Let's Encrypt, websites can improve trust, protect sensitive data, and enhance search engine rankings by enabling secure connections.

In this tutorial, you will learn how to secure Nginx with Let’s Encrypt on Debian 12. We will also address a few FAQs on how to secure Nginx with Let’s Encrypt on Debian 12.

Section 1: Install Certbot for Nginx on Debian 12

Installing Certbot for Nginx on a Linux system running Debian will be the main topic of this section. A strong tool called Certbot makes it easier to get and set up SSL certificates from Let's Encrypt. Because of its seamless integration with Nginx, you can easily enable HTTPS on your servers.

Step 1: Update Debian Package Repositories Before Certbot for Nginx Installation

It's important to make sure that all the installed packages on your Debian system are up-to-date before installing Certbot. Installing the most recent version of Certbot and its dependencies is ensured by keeping the system updated. To upgrade the current packages and update the package repositories, run the following commands:

sudo apt update && sudo apt upgrade

Step 2: Install Certbot Nginx Plugin on Debian 12

Installing Certbot and its Nginx plugin is the next step after updating your Debian system. Because it allows Certbot to communicate with Nginx, the Nginx plugin is necessary. It automates the process of obtaining and renewing certificates as well as setting Nginx to use them. To install the Nginx plugin in addition to Certbot, run the following command:

sudo apt install certbot python3-certbot-nginx

Section 2: Setting Up Nginx and Let’s Encrypt Certificate on Debian 12

This section will walk you through setting up Nginx and using Certbot to create a Let's Encrypt SSL certificate for your domain. We'll also go over how to use different options to make your server configuration more secure.

Step 1: Generate Let’s Encrypt Certificate on Debian

It is essential that you have a domain name that resolves to the IP address of your server before continuing. A domain name is associated with an SSL certificate, and Let's Encrypt verifies that you are the owner of the domain you are attempting to secure.

Step 2: Certbot Configuration and SSL Certificate Generation on Debian

The next step is to run Certbot to generate and install an SSL certificate for your domain after installing Certbot and its Nginx plugin successfully.

Using the --nginx option tells Certbot that we are running Nginx. Other options that contribute to a more secure setup are also included in the command to run Certbot.

Certbot will know that you accept Let's Encrypt's terms of service if you select the ---agree-tos option. In order to guarantee that all traffic to your website is encrypted, the --redirect option tells Certbot to permanently set up a 301 redirect from HTTP to HTTPS. Strict-Transport-Security headers are added with the --hsts option to enforce secure connections to your server. Finally, OCSP Stapling, which enhances SSL negotiation performance while preserving visitor privacy, is enabled by the --staple-ocsp option.

Let's Encrypt uses the email address you enter when selecting the --email option to send notifications about your SSL certificate, like security alerts and reminders to renew.

Kindly change yourdomain.com to your domain name and [email protected] to your real email address. Execute the subsequent command:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d yourdomain.com

After the command is successfully executed, Certbot will create an SSL certificate for your domain, set up Nginx to use it, and implement the required security settings. As a result, your website will be reachable via HTTPS and your server's connection will be secure.

Step 3: Alternative Certbot Configuration Method on Debian 12

Certbot offers an alternative method that asks you for information and configuration choices if you prefer a more guided and interactive approach. Here's how to apply this technique:

Execute the subsequent command:

sudo certbot --nginx

An interactive session will be started by Certbot. A guide to the prompts you might see is provided below:

1. Enter email address (used for urgent renewal and security notices): Provide your email address. This will be used by Let's Encrypt to communicate with you about your certificates.
2. Agree to the Let’s Encrypt terms of service:Accepting the terms of service will be required of you. Enter A to indicate agreement.
3. Share your email with the Electronic Frontier Foundation for updates on their work: Please enter Y for "yes" if you wish to support the EFF. If not, enter N for "no."
4. Which names would you like to activate HTTPS for: The domain names that Certbot is able to issue certificates for will be shown. Enter the numbers that correspond to your domains, or leave all of them empty.
5. Select the appropriate action: You will be given an option to either:

• 1: Attempt to reinstall the certificate
• 2: Renew & replace the certificate (limit ~5 per 7 days).

Select the option that suits your needs.

1. Choose whether or not to redirect HTTP traffic to HTTPS: You'll be prompted to switch from HTTP to HTTPS traffic. This is generally recommended for websites:

• 1: No redirect – Make no further changes to the webserver configuration.
• 2: Redirect – Make all requests redirect to secure HTTPS access.

Select option 2 for better security.

Following completion of the process, Certbot will produce a message akin to the one previously mentioned, containing the location of your certificate files and additional details.

Section 3: Establish Automatic Renewal for Nginx SSL Certificates with Cron on Debian 12

Let's Encrypt offers SSL certificates that have a 90-day validity period. It is essential to set up an automatic certificate renewal mechanism in order to avoid service interruptions caused by expired certificates. For the purpose of renewing certificates, Certbot provides a unique command. Cron, an integrated job scheduler in Linux-based operating systems, can be used to automate this process.

Step 1: Trial Run of Certificate Renewal on Debian

It's wise to make sure the renewal process works properly before committing to an automatic renewal schedule. To achieve this, start a "dry run," which mimics the renewal process without implementing any real changes:

sudo certbot renew --dry-run

Step 2: Setting up the Certificate Renewal Schedule on Debian

Now that the test run has gone smoothly, you can proceed to setting up the automatic certificate renewals. To start, use the following command to open the crontab file in edit mode:

sudo crontab -e

Then, add the line that follows to the bottom of the file. At 2:30 AM, this line initiates a daily renewal check:

30 2 * * * /usr/bin/certbot renew --quiet

You have now successfully configured an automatic process once you save and close the file. Cron will check if any certificates need to be renewed every day. Unless an error occurs, the --quiet flag guarantees that this task runs in the background without producing any output.

Section 4: Enhance SSL with NGINX Configuration on Debian 12

You will be adjusting the NGINX settings for your domain in this section in order to maximize performance. This include configuring session parameters, installing security updates, and setting up SSL certificates.

Step 1: Edit the NGINX Configuration File

The first step is to open the domain configuration file in NGINX. Run the following command:

sudo nano /etc/nginx/sites-available/your_domain

This launches the domain configuration file in nano, a text editor. After gaining access, modify the server block as follows.

Step 2: Specify SSL Certificates and Key

First, specify the location of your SSL certificate and private key:

ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;

Step 3: Configure SSL Sessions

Configuring the SSL session parameters is now necessary. This regulates the duration of sessions and makes sure that secure connections are quickly reestablished:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # approximately 40000 sessions
ssl_session_tickets off;

Step 4: Configure Diffie-Hellman Parameters

Diffie-Hellman (DH) parameters should be configured to increase security even further. In order to ensure secure key exchanges when establishing an SSL/TLS connection, the DH algorithm is essential.

Create a Diffie-Hellman parameter file first. Stronger security is typically associated with longer key lengths. Key lengths of 2048 and 4096 bits are common. Although 2048 bits are usually considered enough, 4096 bits provide more security, but at the cost of performance. Before choosing, take into account your server's capabilities and security requirements.

Use this command to create a 2048-bit DH parameter file:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Alternatively, you can use the following command to generate a 4096-bit key for increased security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Once the file has been generated, add its location to your NGINX configuration. Add the path to the newly created file to the ssl_dhparam directive:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Step 5: Set Protocols and Ciphers

To guarantee optimal security and interoperability, indicate which SSL protocols and ciphers ought to be employed:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers [long string of ciphers here];
ssl_prefer_server_ciphers off;

Step 6: Implement HSTS

To ensure secure connections, enable HTTP Strict Transport Security (HSTS) protocol:

add_header Strict-Transport-Security "max-age=63072000" always;

Step 7: Enable OCSP Stapling

One feature that enhances the SSL certificate verification procedure is OCSP stapling. Activate it and make sure that Root CA and Intermediate certificates are used to validate the chain of trust:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

Step 8: Specify DNS Resolver

Set your DNS resolver's IP address lastly. This is necessary in order to staple OCSP:

resolver 1.1.1.1

If you do not want to use the resolver provided by Cloudflare, make sure you replace 1.1.1.1 with the real IP address of your resolver.

Step 9: Validate and Apply the Changes

Save the file and close it when you're finished. Verifying that there are no syntax errors in your NGINX configuration is essential. Use this command to verify:

sudo nginx -t

Reload NGINX to apply the changes if there are no problems:

sudo systemctl restart nginx

FAQs to Secure Nginx with Let’s Encrypt on Debian 12

Conclusion

We hope this tutorial helped you understand how to Secure Nginx with Let’s Encrypt on Debian 12.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.