Configuring HTTPS for Your Site

Introduction

Here's how to set up HTTPS for your Gatsby site. It'll help you configure a free SSL/TLS certificate from Lets Encrypt using their Certbot CLI tool. We first install Cerbot and then use it to install the certificate for our domain.

Prerequisites

• A website hosted on Nginx server with a domain name.

Step 1 — Installing Certbot

1. Add the software repository for Certbot and grab the upgrades for your packages.

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

2. Install Certbot’s Nginx package

sudo apt-get install python3-certbot-nginx

Step 2 — Confirming Nginx’s Configuration

Certbot will look for a server_name directive that matches the domain you request a certificate for in order configure SSL.

1. Verify your server name by looking into your Nginx configuration.

sudo vim /etc/nginx/sites-available/test.com

You should have something similar to this: test.com

server_name test.com www.test.com;

2. Verify the syntax of your configuration edits and fix any errors then restart Nginx.

sudo nginx -t
sudo systemctl reload nginx

Step 3 — Obtaining an SSL Certificate

1. Generate certificates with the Nginx plug‑in, using -d to specify the names we’d like the certificate to be valid for. You can specify multiple domain names like such:

sudo certbot --nginx -d test.com -d www.test.com

2. If it's your first time setting this up. It will prompt you for an email address, and ask you to agree to its terms of service.

Once certificate generation completes, you will see a message like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/test.com/fullchain.pem. Your cert will
   expire on 2021-12-24. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That's it! Now you can try accessing your website using https://.

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. The certbot package we installed takes care of renewal for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

We can do a dry run with certbot to test this out:

sudo certbot renew --dry-run

If it's successful you should see a message like this:

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/test.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

That's it. Certbot will renew your certificates and reload Nginx to pick up the changes. If it happens to fail, Let’s Encrypt will send a message via email, warning you when your certificate is about to expire.