Another Update to that AWS Server

Blair MacIntyre -

Last year, I posted about setting up a node server on AWS that pulls it's content from Github and uses LetsEncrypt for SSL.  Six months ago, I posted an update on how to renew the LetsEncrypt certificates.

The manual process was simple, but a bit annoying to have to actually do it.  This time around, I discovered an article discussing a plugin for Nginx that lets me automate this in a trivial way.  (As before, I'm posting this to share with others, but also for easy review by me later!)

I generally followed that article. Since I'm using Ubuntu 18.04 on AWS, I first needed to install the certbot Nginx plugin:

$ sudu apt-get install python3-certbot-nginx

Next, I renewed the certificate I had, but using --nginx as the authorization method instead of --manual:

$ sudo certbot --nginx -d aelatgt.net

Certbot updated my Nginx configuration, which I edited and combined with what I previously had there:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# HTTP - redirect all requests to HTTPS:
server {
    if ($host = aelatgt.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 default_server;
    server_name aelatgt.net;
}

server {
  listen 443 ssl;
  server_name aelatgt.net;
  location / {
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host       $http_host;
    proxy_pass        https://127.0.0.1:3001;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
    # Enable SSL
    ssl_certificate_key /etc/letsencrypt/live/aelatgt.net/privkey.pem; # managed
 by Certbot
    ssl_certificate /etc/letsencrypt/live/aelatgt.net/fullchain.pem; # managed b
y Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}

I'd previously had more ssl settings in the file, but certbot created a set in /etc/letsencrypt/options-ssl-nginx.conf so I'm just going to use those.  (I also realize I'm probably "upgrading" HTTP to HTTPS twice in there, but it works and I'm not Nginx god, so "it's fine").

Finally, I added a cronjob to periodically (and quietly) try to renew the certificate, but running

$ crontab -e

and then adding a line to the crontab:

0 12 * * * /usr/bin/certbot renew --quiet

That's it.

To test, I restarted my nginx server a did a trial renewal of the certificate, which output the follow (as expected):

$ sudo nginx -s reload 
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/aelatgt.net.conf
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/aelatgt.net/fullchain.pem expires on 2021-10-01 (skipped)
No renewals were attempted.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -