# Updated Certbot Guide

## Nginx Install

```
sudo apt update
sudo apt install nginx
```

## Certbot

Resource link: <https://certbot.eff.org/instructions?ws=other\\&os=pip&#x20>;

Install: Nginx Certbot

```
apt install python3 python3-venv libaugeas0
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot certbot-nginx
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
```

#### Install: cloudflare plugin&#x20;

```
/opt/certbot/bin/pip install certbot certbot-dns-cloudflare
```

## Option 1: User nginx reverse proxy with certbot nginx

### Make Nginx config:

Make file for domain:

```
sudo nano /etc/nginx/sites-available/yourdomain.com
```

Config setup: (This config will be auto managed by cert bot)

```
server {
    listen 80;
    server_name <sub-domain>.yourdomain.com;

    location / {
        proxy_pass http://your_backend_server_address;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

Now simlink your available site to enabled:

```
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
```

Now test config and restart nginx:

```
nginx -t
systemctl restart nginx
```

### Make nginx cert

```
certbot --nginx
```

Follow instructions on screen (Adding screenshots soon)

Test cert renew:

```
sudo certbot renew --dry-run
```

## Option 2: User nginx reverse proxy with certbot cloudflare

### Cloudflare API token used by Certbot

Make .ini file for domain in:

```
mkdir -p /home/<user>/.secrets/certbot/
/home/<user>/.secrets/certbot/
```

Contents in file:

```
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
```

Save and close file

Now change file permissions:

```
chmod 600 /path/to/file/<nameoffile>.ini
```

Make cert:

```
certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/<user>/.secrets/certbot/<nameoffile>.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d "*.example.com"
```

Test cert renew:

```
sudo certbot renew --dry-run
```

### Make Nginx config:

#### Root-Domain:

This section is for if you're making a nginx reverse proxy for just your root domain and no subdomains.

Make file for domain:&#x20;

```
sudo nano /etc/nginx/sites-available/yourdomain.com
```

Config setup: (This config WON'T be auto managed by certbot)

```
server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        proxy_pass http://your_backend_server_address;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

#### Sub-Domain:

This section is for if you're using sub-domains.

Make file for domain:&#x20;

```
sudo nano /etc/nginx/sites-available/<sub-domain>.yourdomain.com
```

Config setup: (This config WON'T be auto managed by certbot)

```
server {
    listen 443 ssl http2;
    server_name <sub-domain>.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        proxy_pass http://your_backend_server_address;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

Now simlink your available site to enabled:

```
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
```

#### Now test config and restart nginx:

```
nginx -t
systemctl restart nginx
```

## Auto renew with cron

```
contrab -e

# To renew on the first day of each month
0 0 1 * * root certbot renew --quiet
```

## Extras

### Http Password:

<pre><code>sudo apt-get update
sudo apt-get install apache2-utils

# -c is used to create the file
sudo htpasswd -c /etc/nginx/.&#x3C;passwordfile> &#x3C;username>

# If file already exsists and want to add user
sudo htpasswd /etc/nginx/.&#x3C;passwordfile> &#x3C;anotherusername>

# In nginx config add the line below in location
location / {
    auth_basic "Restricted Content";
<strong>    auth_basic_user_file /etc/nginx/.&#x3C;passwordfile>; # The path to the password file
</strong>}
</code></pre>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://paul-gleason.gitbook.io/nginx/subsection/updated-certbot-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.