Set up SSL certificates with Let's Encrypt

We're going to follow Let's Encrypt official guide: https://certbot.eff.org/lets-encrypt/debianbuster-nginx and choose the apropiate options.

This guide explains how to configure let's encrypt in a Dradis Pro instance based on Debian 10. If your instance uses another OS, some commands may change.

In short, what this guide is trying to do is summarized in this script:

    #!/bin/bash

    # Request server droplet name as $server
    echo "What is the server address? E.g. test.dradisframework.net"
    read server

    # Certification
    sudo sed -i -e "s/# server_name dradispro.local;/server_name $server;/g" /etc/nginx/sites-enabled/dradispro
    sudo apt-get install -y certbot python-certbot-nginx
    sudo certbot certonly --nginx


    echo $server

    cd /etc/ssl/dradispro.local/
    sudo rm bundle.dradispro.local.crt
    sudo ln -s /etc/letsencrypt/live/$server/fullchain.pem bundle.dradispro.local.crt
    sudo rm dradispro.local.key
    sudo ln -s /etc/letsencrypt/live/$server/privkey.pem dradispro.local.key

    sudo service nginx reload

Feel free to scp this script to your instance an execute it, or try the step by step manual instructions below:

  1. SSH into the box as dradispro

  2. Update the server_name directive of /etc/nginx/sites-enabled/dradispro to your desired FQDN. From:
    # server_name dradispro.local;
    To:
    server_name custom.domain.net

    (use your own custom domain)

  3. Get certbot:
    sudo apt-get install certbot python-certbot-nginx
  4. Get the SSL cert:
    sudo certbot certonly --nginx 

    If this step fails (e.g. you get a message like nginx restart failed:), check your /etc/nginx/nginx.conf file.

    When asked enter the number that corresponds to the FQDN you entered before, probably 1 as we are using a single server name.

    Note down the location of the certificate bundle and key.

  5. Update the symlink targets NGINX uses to find the right SSL cert:
    cd /etc/ssl/dradispro.local/
    sudo rm bundle.dradispro.local.crt
    sudo ln -s /etc/letsencrypt/live/custom.domain.net/fullchain.pem bundle.dradispro.local.crt
    
    sudo rm dradispro.local.key
    sudo ln -s /etc/letsencrypt/live/custom.domain.net/privkey.pem dradispro.local.key
  6. Reload nginx:
    sudo service nginx reload
  7. Keep following the instructions in the official guide from step 4 to test automatic renewal and check the certificate works.