Installing Let's Encrypt for HTTPS

Follow

If you would like to use Let's Encrypt, a free encryption service for the Countly server, this document explains how to generate, install, and update your certificate on your Countly instance.

Visit Let’s Encrypt and Install Certbot

The first step is to go to the Certbot page and install your certification bot (certbot) which will guide you toward the generation of your certification.

Here, select Nginx as platform and then Ubuntu, CentOS, or Red Hat Enterprise Linux based on the Linux distribution you use.

Now, on the next page, run commands as instructed (e.g., using wget, apt, or yum) so it installs Certbot. And set up certification for your site via the instructions.

If the Default Method Doesn't Work

Depending on the method of installation, run Certbot command directly on the console with root credentials. If it doesn't work, try standalone mode.

# certbot --authenticator standalone --installer nginx -d {yourdomain.com} -d  {yourdomain.com} --pre-hook "service nginx stop" --post-hook "service nginx start"

Using Certificates

Let's Encrypt provides 4 files as output:

  • privkey.pem: the private key for your certificate.
  • fullchain.pem: the certificate file used in most server software.
  • chain.pem: used for OCSP stapling in Nginx versions 1.3.7 or above.
  • cert.pem: used only for self-signed certificates without authority.

These files should be mapped to Nginx config like this:

# Use 2048 bit Diffie-Hellman RSA key parameters
# (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption # when using PFS)
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
ssl_dhparam /etc/letsencrypt/live/yourdomain.com/dhparams.pem;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

Configuration Options

Now, edit Countly Nginx configuration based on the Countly document in this link. You also can redirect HTTP requests to HTTPS based on instructions given in the same document.

The next step is setting certificate files for auto-renewal (here we set to 30 days periodically). In order to do this, add a cron job as shown below.

0 0 */30 * *  /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx restart"

This way, the certificate will renew every 30 days.

With this last step, you are done. Restart Countly server and enjoy.

Looking for help?