Previous Page

nihilist - 00 / 00 / 00

Minimalistic NGINX Setup with HTTPS

In this tutorial we'll see how to install a NGINX server with a free TLS 1.3 Certificate and a free domain name.

Initial Setup

Before we start, make sure you have a debian 10+ server with a public ip (like a rented VPS on digitalocean for example) If this is a debian server hosted at home, you need to make sure you port forward port 443 on your router interface so that the public IP address' port 443 points to the server's port 443 and not the router. Once you're there, ssh into your server:

From here, we'll run the following commands:

apt update -y && apt upgrade -y
apt install nginx curl socat git -y

Once that's installed, we can verify nginx is installed like so:

    root@debian-s-1vcpu-1gb-fra1-01:~# which nginx && nginx -v
    nginx version: nginx/1.14.2

We can verify it is running using systemctl:

Minimalistic NGINX HTTPS configuration

Now that nginx is installed, by default only port 80 is opened, as we can see here:

So from here, we'll install the custom configuration (located in /etc/nginx/sites-enabled/my_conf.conf):

wget -O /etc/nginx/sites-enabled/my_conf.conf

Once that's done, we verify if nginx's configuration is correct:

root@debian-s-1vcpu-1gb-fra1-01:~# nginx -t
nginx: [emerg] no "ssl_certificate_key" is defined for certificate "/root/"
nginx: configuration file /etc/nginx/nginx.conf test failed

And obviously, here we're missing the TLS certificates, and we're going to use which is going to get us our free letsencrypt TLS cert :

wget -O - | sh
source ~/.bashrc

And now we can run, but before that we need to stop nginx. If you do not have a domain name yet, go get one and make sure it points to your VPS' public ip address. If you want a free domain name alternative, you can use duckdns:

You can verify the domain name points to your vps correctly like so :

systemctl stop nginx --set-default-ca  --server  letsencrypt --issue --standalone -d -k 4096

Now that gave us our free letsencrypt ssh we verify that the nginx config is correct using the "nginx -t" command. If it does not give you a positive answer like in the screenshot above, you probably forgot to edit the configuration in /etc/nginx/sites-enabled/my_conf.conf to contain your own domain name:

    wget -O /etc/nginx/sites-enabled/my_conf.conf
    nano /etc/nginx/sites-enabled/my_conf.conf

Once you're done, hit CTRL+S to save in nano, and then CTRL+X to exit nano.

After that, verify that nginx configuration is correct, and restart nginx:

nginx -t
systemctl start nginx

echo 'Welcome to my website!' > /var/www/html/index.html

And we're done!

Checking out the website

We're done, and we can now check out the website:

And here we can see the index.html we previously created. Thanks to the nginx config we created the server is going to attempt TLS 1.3 protocols, and if it is not supported, only after will TLS 1.2 protocols be tried, and not otherwise.

We can verify it is working on

And there we have it, we have been able to get a working nginx server working with TLS 1.3 by default using a free domain name, and free TLS certificates provided by Letsencrypt.

To force the renewal of certificates every month, have this crontab:

crontab -e

0  0 1 * * systemctl stop nginx ; "/root/"  --server letsencrypt --cron --home "/root/" --force ; systemctl start nginx # once a month, force the renewal of the certificates


Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8

Contact: (PGP)