Warren Lee

Blog

Secure your nuxt app on the web with Let's Encrypt and Certbot

Introduction

In my last blog I explained how to serve your nuxt app using Nginx. In this blog, I will walk you through how to enable HTTPS on your web server by using Certbot to obtain free SSL certs from Let's Encrypt. These certs will typically expire in 90 days but Certbot can help automate this process.

Prerequisites

  • A fully registered domain name
  • Install Certbot onto the server
  • Make sure your web server is runnable on port 80.

Install Certbot

We will need to add the repository.

$ sudo add-apt-repository ppa:certbot/certbot

Update the apt package manager.

$ sudo apt-get update

Install certbot

$ sudo apt-get install python-certbot-nginx

Run Certbot

Assuming that your current web server is running under a fully registered domain and unsecured (if it's already secure then why bother with any of this?!)

Run the following to get the certs and configure automation.

$ sudo certbot --nginx -d example.com -d www.example.com

If you have more than one domain to work with you can keep adding domains with the -d option. The --nginx option lets certbot know that we're dealing with a nginx web server. Other options are available to handle other web servers like apache.

When you first run this command you will be prompted to enter your email. Please do so as you will get email notifications when the certs will expire (if the automation didn't work then at least you know).

Once successful certbot will attempt to make some changes to your nginx config by adding the necessary cert paths and adding in the 443 port which is typically used for SSL.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I recommend choosing 2 to redirect http requests to https.

Certbot will now do its thing and the following will show.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This will let you know where the certs are stored and when the certs are due to expire.

Reload your website and it should now be running under HTTPS!

The automation

As mentioned the certs are valid for only 90 days and will need to be renewed prior to that date.

When we ran the certbot command it would have added the renew script to the /etc/cron.d folder. This is typically our cronjob folder and will run the script twice a day, but the certs will only renew 30 days prior to the expiry date.

You can test the renewal with a dry run command.

$ sudo certbot renew --dry-run

If you see all your domains in there then that's it, it'll work as expected on the day.

Conclusion

Congrats! We now have a running nuxt app running on your server deployed using pm2, using an nginx webserver to serve the web and using certbot to obtain free SSL certs from Let's Encrypt to have your website running under HTTPS.

Hope this helps you! Any feedback or troubles, feel free to leave a message in the comments below.

Related Work