Setting up SSL
You need to have snapd installed. This step already covered in Server Preparation
And remove any previous certbot version installed by executing command below:
sudo apt-get remove certbot
Setting up CertBot
CertBot Installation
We will use CertBot as our SSL manager You can install it by using below commands:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
CertBot DNS Plugin
Since we're using Cloudflare as our DNS Manager, we need to install Cloudflare plugin using command below:
sudo snap install certbot-dns-cloudflare
Get your credential API Token
To obtain your Cloudflare API token, follow these steps:
Log in to your Cloudflare account.
Go to the Profile section.
Select API Tokens.
Click on Create Token.
For this case, you only need "Edit zone DNS" permissions.
Once you've configured the token, click Continue to summary and then Create Token.
Make sure to copy your new API token and securely store it; you won’t be able to see it again.
After you obtained your Cloudflare API Token, you need to put it in a file called certbot.ini in your server with format like below:
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
you can use your text editor or this command below to write it into a file directly
echo 'dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567' > ~/certbot.ini
Generate SSL
After you finished previous steps, now we need to generate the SSL. You can do it by executing below command:
certbot certonly \
--dns-cloudflare-propagation-seconds 60 \
--dns-cloudflare \
--dns-cloudflare-credentials ~/certbot.ini \
-d *
Re-Configure NGINX to use SSL
In Routing using NGINX, we've already set up our domain to point to correct endpoint. But it's still using HTTP. Now, we will set it up so we can use HTTPS.
Edit your config by opening your previous config with this command
sudo nano /etc/nginx/sites-available/airchain-api-testnet
And replace the config with this
server {
listen 80;
return 301 https://$host$request_uri;
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
location / {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Max-Age 3600;
add_header Access-Control-Expose-Headers Content-Length;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Repeat the same process for other endpoints and you will have all of your endpoints with SSL enabled