Dev Site - Buying a domain name, setting up nginx, and configuring Let’s Encrypt with Certbot

Buying a domain

Buying a domain is very simple. I have used both Google Domains and Namecheap in the past. I prefer Namecheap, but I gave Google Domains a try when buying a .dev website (which is owned by Google).

The process for both is pretty much the same, search for the domain you want and buy it for a year if it is available.

For this example, I will purchase https://dylanjonestest.dev.

Note, if you buy a .dev domain, you must use HTTPS or it will not work. We will cover that later.

Configuring DNS

Next, we need to configure DNS for our domain. This will tell everyone who enters your domain that it needs to go to your server.

To do this, log into the domain registrar you picked (Google Domains in my case), and find your DNS settings. Then you just need to add an A record, and set it to point to your server’s IP address. You do not need anything in the name field:

If you wanted to use www before your domain (so https://www.dylanjonestest.dev instead of https://dylanjonestest.dev), then you would set the name to www.

You do not want to add both, because we will only be setting up one SSL certificate.

In order to redirect https://www.dylanjonestest.dev to https://dylanjonestest.dev, you can add a synthetic record like so:

You can ignore the error, it will be resolved later (once SSL is set up).

nginx

nginx is a simple HTTP server that we will use as a reverse proxy. Our actual website will be hosted through docker, but we will use nginx and Certbot to force an HTTPS connection.

For now, all we need to do is install it, enable it (so it will be started when the server starts), and start it up:

# yay -S nginx
# sudo systemctl enable nginx
# sudo systemctl start nginx

If it worked, you can navigate to your IP address in a browser and you will get this page:

Configuring nginx

We need to do a little configuring before setting up SSL.

So edit /etc/nginx/nginx.conf and set the server_name, in the default server block, to your new domain name:

Restart nginx:

# sudo systemctl restart nginx

Now we can finish setting it up with SSL using Let’s Encrypt and Certbot

Let’s Encrypt (with Certbot)

Let’s Encrypt is an awesome Certificate Authority that will let you easily generate SSL certificates automatically and for free.

To easily configure this, we will use Certbot.

Since we are using nginx, we need to install certbox-nginx:

# yay -S certbot-nginx

Then run certbot with the nginx plugin:

# sudo certbot --nginx

Follow the prompts, making sure to choose the option to redirect HTTP traffic to HTTPS.

If that works, you should be able to navigate to your domain (https://dylanjonestest.dev/) and get the same nginx screen as above! But now, you are using the domain name you bought and it is secured using SSL.

Automatic renewal

Let’s Encrypt certificates only last 90 days. So you can either manually renew them every 90 days or so, or set up a systemd service to do it automatically.

To do this, create /etc/systemd/system/certbot-renewal.service with the following contents (using sudo):

[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --post-hook "systemctl restart nginx"

This will renew the certificate, agree to the Terms of Service if necessary, and restart nginx afterwards.

We also need to create a timer, so create /etc/systemd/system/certbot-renewal.timer with the following contents (using sudo):

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=12h

[Install]
WantedBy=multi-user.target

This will run the renewal 5 minutes after the system boots up, and then run it every 12 hours thereafter.

Once the certificate is within 30 days of renewal, it should be renewed. That will ensure that you do not have any downtime waiting for the certificate to be renewed.

Then you just need to enable and start the certbot timer:

# sudo systemctl enable certbot-renewal.timer
# sudo systemctl start certbot-renewal.timer

To ensure that it is working, run:

# sudo systemctl status certbot-renewal.service

It should say succeeded:

And that’s it!

Next Time

In the next article, we are going to go over creating the actual website using VuePress and Tailwind CSS. We will need to get some code available before we can set up automated deployments!