Setting up SSL

PreviousRouting using NGINX NextSecurity Setup

Last updated 1 year ago

Was this helpful?

Setting up SSL

Prerequisite

You need to have snapd installed. This step already covered in Server Preparation

And remove any previous certbot version installed by executing command below:

sudo apt-get remove certbot

Setting up CertBot

CertBot Installation

We will use CertBot as our SSL manager You can install it by using below commands:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok

CertBot DNS Plugin

Since we're using Cloudflare as our DNS Manager, we need to install Cloudflare plugin using command below:

sudo snap install certbot-dns-cloudflare

You will need to install another plugin if you use other DNS manager. visit for more details

Get your credential API Token

To obtain your Cloudflare API token, follow these steps:

Log in to your Cloudflare account.
Go to the Profile section.
Select API Tokens.
Click on Create Token.
For this case, you only need "Edit zone DNS" permissions.
Once you've configured the token, click Continue to summary and then Create Token.
Make sure to copy your new API token and securely store it; you won’t be able to see it again.

After you obtained your Cloudflare API Token, you need to put it in a file called certbot.ini in your server with format like below:

dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

you can use your text editor or this command below to write it into a file directly

echo 'dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567' > ~/certbot.ini

Generate SSL

After you finished previous steps, now we need to generate the SSL. You can do it by executing below command:

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/certbot.ini \
  -d *.cryptonode.id

It will generate a wildcard SSL. If you want a subdomain specific, you can replace the * symbol with your subdomain (e.g. crossfi-testnet-api.cryptonode.id)

The default location of the certificates are /etc/letsencrypt/live/cryptonode.id/fullchain.pem for the public key and /etc/letsencrypt/live/cryptonode.id/privkey.pem for the private key

Re-Configure NGINX to use SSL

In Routing using NGINX, we've already set up our domain to point to correct endpoint. But it's still using HTTP. Now, we will set it up so we can use HTTPS.

Edit your config by opening your previous config with this command

sudo nano /etc/nginx/sites-available/crossfi-testnet-api

And replace the config with this

server {
    listen 80;
    server_name crossfi-testnet-api.cryptonode.id;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;

    server_name crossfi-testnet-api.cryptonode.id;

    ssl_certificate /etc/letsencrypt/live/cryptonode.id/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cryptonode.id/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_ecdh_curve secp384r1;
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';

    location / {
        proxy_pass http://127.0.0.1:1317;
        
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Max-Age 3600;
        add_header Access-Control-Expose-Headers Content-Length;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Repeat the same process for other endpoints and you will have all of your endpoints with SSL enabled