Install certbot on Debian 9
$ sudo apt-get install certbot python-certbot-nginx
Install certificate for nginx's sites
$ sudo certbot --nginx
Example
tuyendq@3:~$ sudo apt-get install certbot python-certbot-nginx Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python3-acme python3-certbot python3-certbot-nginx python3-cffi-backend python3-configargparse python3-configobj python3-cryptography python3-idna python3-josepy python3-mock python3-openssl python3-parsedatetime python3-pbr python3-pyasn1 python3-pyparsing python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface Suggested packages: python3-certbot-apache python-certbot-doc python-acme-doc python-certbot-nginx-doc python-configobj-doc python-cryptography-doc python3-cryptography-vectors python-mock-doc python-openssl-doc python3-openssl-dbg doc-base python-pyparsing-doc python-setuptools-doc Recommended packages: python3-pyicu The following NEW packages will be installed: certbot python-certbot-nginx python3-acme python3-certbot python3-certbot-nginx python3-cffi-backend python3-configargparse python3-configobj python3-cryptography python3-idna python3-josepy python3-mock python3-openssl python3-parsedatetime python3-pbr python3-pyasn1 python3-pyparsing python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface 0 upgraded, 25 newly installed, 0 to remove and 11 not upgraded. Need to get 1,515 kB of archives. After this operation, 8,070 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://deb.debian.org/debian stretch/main amd64 python3-cffi-backend amd64 1.9.1-2 [70.1 kB] Get:2 http://deb.debian.org/debian stretch/main amd64 python3-idna all 2.2-1 [32.7 kB] Get:3 http://deb.debian.org/debian stretch/main amd64 python3-pyasn1 all 0.1.9-2 [34.5 kB] Get:4 http://deb.debian.org/debian stretch/main amd64 python3-setuptools all 33.1.1-1 [215 kB] Get:5 http://deb.debian.org/debian stretch/main amd64 python3-cryptography amd64 1.7.1-3+deb9u1 [210 kB] Get:6 http://deb.debian.org/debian stretch/main amd64 python3-openssl all 16.2.0-1 [43.8 kB] Get:7 http://deb.debian.org/debian stretch/main amd64 python3-josepy all 1.1.0-2~deb9u1 [27.8 kB] Get:8 http://deb.debian.org/debian stretch/main amd64 python3-pbr all 1.10.0-1 [52.5 kB] Get:9 http://deb.debian.org/debian stretch/main amd64 python3-mock all 2.0.0-3 [59.9 kB] Get:10 http://deb.debian.org/debian stretch/main amd64 python3-requests-toolbelt all 0.7.0-1 [36.7 kB] Get:11 http://deb.debian.org/debian stretch/main amd64 python3-tz all 2016.7-0.3 [27.1 kB] Get:12 http://deb.debian.org/debian stretch/main amd64 python3-rfc3339 all 1.0-4 [6,282 B] Get:13 http://deb.debian.org/debian stretch-updates/main amd64 python3-acme all 0.28.0-1~deb9u2 [49.9 kB] Get:14 http://deb.debian.org/debian stretch/main amd64 python3-configargparse all 0.11.0-1 [22.3 kB] Get:15 http://deb.debian.org/debian stretch/main amd64 python3-configobj all 5.0.6-2 [35.2 kB] Get:16 http://deb.debian.org/debian stretch/main amd64 python3-parsedatetime all 2.1-3+deb9u1 [37.7 kB] Get:17 http://deb.debian.org/debian stretch/main amd64 python3-zope.hookable amd64 4.0.4-4+b2 [10.3 kB] Get:18 http://deb.debian.org/debian stretch/main amd64 python3-zope.interface amd64 4.3.2-1 [89.8 kB] Get:19 http://deb.debian.org/debian stretch/main amd64 python3-zope.event all 4.2.0-1 [8,412 B] Get:20 http://deb.debian.org/debian stretch/main amd64 python3-zope.component all 4.3.0-1 [43.0 kB] Get:21 http://deb.debian.org/debian stretch/main amd64 python3-certbot all 0.28.0-1~deb9u2 [222 kB] Get:22 http://deb.debian.org/debian stretch/main amd64 certbot all 0.28.0-1~deb9u2 [37.7 kB] Get:23 http://deb.debian.org/debian stretch/main amd64 python3-pyparsing all 2.1.10+dfsg1-1 [88.6 kB] Get:24 http://deb.debian.org/debian stretch/main amd64 python3-certbot-nginx all 0.28.0-1~deb9u1 [50.2 kB] Get:25 http://deb.debian.org/debian stretch/main amd64 python-certbot-nginx all 0.28.0-1~deb9u1 [2,872 B] Fetched 1,515 kB in 0s (9,584 kB/s) Selecting previously unselected package python3-cffi-backend. (Reading database ... 54628 files and directories currently installed.) Preparing to unpack .../00-python3-cffi-backend_1.9.1-2_amd64.deb ... Unpacking python3-cffi-backend (1.9.1-2) ... Selecting previously unselected package python3-idna. Preparing to unpack .../01-python3-idna_2.2-1_all.deb ... Unpacking python3-idna (2.2-1) ... Selecting previously unselected package python3-pyasn1. Preparing to unpack .../02-python3-pyasn1_0.1.9-2_all.deb ... Unpacking python3-pyasn1 (0.1.9-2) ... Selecting previously unselected package python3-setuptools. Preparing to unpack .../03-python3-setuptools_33.1.1-1_all.deb ... Unpacking python3-setuptools (33.1.1-1) ... Selecting previously unselected package python3-cryptography. Preparing to unpack .../04-python3-cryptography_1.7.1-3+deb9u1_amd64.deb ... Unpacking python3-cryptography (1.7.1-3+deb9u1) ... Selecting previously unselected package python3-openssl. Preparing to unpack .../05-python3-openssl_16.2.0-1_all.deb ... Unpacking python3-openssl (16.2.0-1) ... Selecting previously unselected package python3-josepy. Preparing to unpack .../06-python3-josepy_1.1.0-2~deb9u1_all.deb ... Unpacking python3-josepy (1.1.0-2~deb9u1) ... Selecting previously unselected package python3-pbr. Preparing to unpack .../07-python3-pbr_1.10.0-1_all.deb ... Unpacking python3-pbr (1.10.0-1) ... Selecting previously unselected package python3-mock. Preparing to unpack .../08-python3-mock_2.0.0-3_all.deb ... Unpacking python3-mock (2.0.0-3) ... Selecting previously unselected package python3-requests-toolbelt. Preparing to unpack .../09-python3-requests-toolbelt_0.7.0-1_all.deb ... Unpacking python3-requests-toolbelt (0.7.0-1) ... Selecting previously unselected package python3-tz. Preparing to unpack .../10-python3-tz_2016.7-0.3_all.deb ... Unpacking python3-tz (2016.7-0.3) ... Selecting previously unselected package python3-rfc3339. Preparing to unpack .../11-python3-rfc3339_1.0-4_all.deb ... Unpacking python3-rfc3339 (1.0-4) ... Selecting previously unselected package python3-acme. Preparing to unpack .../12-python3-acme_0.28.0-1~deb9u2_all.deb ... Unpacking python3-acme (0.28.0-1~deb9u2) ... Selecting previously unselected package python3-configargparse. Preparing to unpack .../13-python3-configargparse_0.11.0-1_all.deb ... Unpacking python3-configargparse (0.11.0-1) ... Selecting previously unselected package python3-configobj. Preparing to unpack .../14-python3-configobj_5.0.6-2_all.deb ... Unpacking python3-configobj (5.0.6-2) ... Selecting previously unselected package python3-parsedatetime. Preparing to unpack .../15-python3-parsedatetime_2.1-3+deb9u1_all.deb ... Unpacking python3-parsedatetime (2.1-3+deb9u1) ... Selecting previously unselected package python3-zope.hookable. Preparing to unpack .../16-python3-zope.hookable_4.0.4-4+b2_amd64.deb ... Unpacking python3-zope.hookable (4.0.4-4+b2) ... Selecting previously unselected package python3-zope.interface. Preparing to unpack .../17-python3-zope.interface_4.3.2-1_amd64.deb ... Unpacking python3-zope.interface (4.3.2-1) ... Selecting previously unselected package python3-zope.event. Preparing to unpack .../18-python3-zope.event_4.2.0-1_all.deb ... Unpacking python3-zope.event (4.2.0-1) ... Selecting previously unselected package python3-zope.component. Preparing to unpack .../19-python3-zope.component_4.3.0-1_all.deb ... Unpacking python3-zope.component (4.3.0-1) ... Selecting previously unselected package python3-certbot. Preparing to unpack .../20-python3-certbot_0.28.0-1~deb9u2_all.deb ... Unpacking python3-certbot (0.28.0-1~deb9u2) ... Selecting previously unselected package certbot. Preparing to unpack .../21-certbot_0.28.0-1~deb9u2_all.deb ... Unpacking certbot (0.28.0-1~deb9u2) ... Selecting previously unselected package python3-pyparsing. Preparing to unpack .../22-python3-pyparsing_2.1.10+dfsg1-1_all.deb ... Unpacking python3-pyparsing (2.1.10+dfsg1-1) ... Selecting previously unselected package python3-certbot-nginx. Preparing to unpack .../23-python3-certbot-nginx_0.28.0-1~deb9u1_all.deb ... Unpacking python3-certbot-nginx (0.28.0-1~deb9u1) ... Selecting previously unselected package python-certbot-nginx. Preparing to unpack .../24-python-certbot-nginx_0.28.0-1~deb9u1_all.deb ... Unpacking python-certbot-nginx (0.28.0-1~deb9u1) ... Setting up python3-requests-toolbelt (0.7.0-1) ... Setting up python3-pbr (1.10.0-1) ... update-alternatives: using /usr/bin/python3-pbr to provide /usr/bin/pbr (pbr) in auto mode Setting up python3-cffi-backend (1.9.1-2) ... Setting up python3-mock (2.0.0-3) ... Setting up python3-zope.event (4.2.0-1) ... Setting up python3-idna (2.2-1) ... Setting up python3-pyparsing (2.1.10+dfsg1-1) ... Setting up python3-zope.interface (4.3.2-1) ... Setting up python3-configargparse (0.11.0-1) ... Setting up python3-zope.hookable (4.0.4-4+b2) ... Setting up python3-pyasn1 (0.1.9-2) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up python3-configobj (5.0.6-2) ... Setting up python3-setuptools (33.1.1-1) ... Setting up python3-tz (2016.7-0.3) ... Setting up python3-parsedatetime (2.1-3+deb9u1) ... Setting up python3-cryptography (1.7.1-3+deb9u1) ... Setting up python3-rfc3339 (1.0-4) ... Setting up python3-zope.component (4.3.0-1) ... Setting up python3-openssl (16.2.0-1) ... Setting up python3-josepy (1.1.0-2~deb9u1) ... Setting up python3-acme (0.28.0-1~deb9u2) ... Setting up python3-certbot (0.28.0-1~deb9u2) ... Setting up certbot (0.28.0-1~deb9u2) ... Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer. Setting up python3-certbot-nginx (0.28.0-1~deb9u1) ... Setting up python-certbot-nginx (0.28.0-1~deb9u1) ... tuyendq@3:~$
tuyendq@3:~$ sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: hanviet.practicehabits.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for hanviet.practicehabits.net Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/hanviet.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://hanviet.practicehabits.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=hanviet.practicehabits.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hanviet.practicehabits.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hanviet.practicehabits.net/privkey.pem Your cert will expire on 2020-03-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le tuyendq@3:~$
Enable HTTP/2
Edit site's config file: add 'http2' right after "listen 443 ssl", verify, and reload nginx
listen 443 ssl http2;
$ sudo nginx -t $ sudo nginx -s reload
Verify HTTP/2
$ curl -i https://hanviet.practicehabits.net HTTP/2 200 server: nginx/1.16.1 date: Mon, 23 Dec 2019 02:34:43 GMT content-type: text/html; charset=utf-8 content-length: 1220 x-powered-by: Express etag: W/"4c4-/cpYZten6ChVt+prSdp0Pqj70j4"