In this tutorial we'll see how to install a NGINX server with a free TLS 1.3 Certificate and a free domain name.
Before we start, make sure you have a debian 10+ server with a public ip (like a rented VPS on digitalocean for example) If this is a debian server hosted at home, you need to make sure you port forward port 443 on your router interface so that the public IP address' port 443 points to the server's port 443 and not the router. Once you're there, ssh into your server:
From here, we'll run the following commands:
apt update -y && apt upgrade -y
apt install nginx curl socat git -y
Once that's installed, we can verify nginx is installed like so:
root@debian-s-1vcpu-1gb-fra1-01:~# which nginx && nginx -v
/usr/sbin/nginx
nginx version: nginx/1.14.2
We can verify it is running using systemctl:
Now that nginx is installed, by default only port 80 is opened, as we can see here:
So from here, we'll install the custom configuration (located in /etc/nginx/sites-enabled/my_conf.conf):
wget https://blog.nowhere.moe/servers/nginx/nginx.conf -O /etc/nginx/sites-enabled/my_conf.conf
Once that's done, we verify if nginx's configuration is correct:
root@debian-s-1vcpu-1gb-fra1-01:~# nginx -t
nginx: [emerg] no "ssl_certificate_key" is defined for certificate "/root/.acme.sh/ech2.duckdns.org/ech2.duckdns.org.key"
nginx: configuration file /etc/nginx/nginx.conf test failed
And obviously, here we're missing the TLS certificates, and we're going to use acme.sh which is going to get us our free letsencrypt TLS cert :
wget -O - https://get.acme.sh | sh
source ~/.bashrc
And now we can run acme.sh, but before that we need to stop nginx. If you do not have a domain name yet, go get one and make sure it points to your VPS' public ip address. If you want a free domain name alternative, you can use duckdns:
You can verify the domain name points to your vps correctly like so :
systemctl stop nginx
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue --standalone -d ech2.duckdns.org -k 4096
Now that acme.sh gave us our free letsencrypt ssh we verify that the nginx config is correct using the "nginx -t" command. If it does not give you a positive answer like in the screenshot above, you probably forgot to edit the configuration in /etc/nginx/sites-enabled/my_conf.conf to contain your own domain name:
wget https://blog.nowhere.moe/servers/nginx/nginx.conf -O /etc/nginx/sites-enabled/my_conf.conf
nano /etc/nginx/sites-enabled/my_conf.conf
Once you're done, hit CTRL+S to save in nano, and then CTRL+X to exit nano.
After that, verify that nginx configuration is correct, and restart nginx:
nginx -t
systemctl start nginx
echo 'Welcome to my website!' > /var/www/html/index.html
And we're done!
We're done, and we can now check out the website:
And here we can see the index.html we previously created. Thanks to the nginx config we created the server is going to attempt TLS 1.3 protocols, and if it is not supported, only after will TLS 1.2 protocols be tried, and not otherwise.
We can verify it is working on cryptcheck.fr:
And there we have it, we have been able to get a working nginx server working with TLS 1.3 by default using a free domain name, and free TLS certificates provided by Letsencrypt.
To force the renewal of certificates every month, have this crontab:
crontab -e
0 0 1 * * systemctl stop nginx ; "/root/.acme.sh/acme.sh" --server letsencrypt --cron --home "/root/.acme.sh" --force ; systemctl start nginx # once a month, force the renewal of the certificates
Until there is Nothing left.
Creative Commons Zero: No Rights Reserved
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)