Add a new website to a server running nginx, LetsEncrypt HTTPS and Certbot
Last updated on February 2025.
This is follow up note from https://yctct.com/setup-webserver to add a second website on the same web server.
Update DNS
In the DNS, point the domain name example.com or a subdomain www.example.com or both to the IP address of VPS.
A @ IP_address_of_server # for the domain name
A www IP_address_of_server # for the www subdomain
Configure web server
Read:
- https://fedfree.org/docs/http/debian-nginx.html#introduction-3
- https://fedfree.org/docs/http/debian-nginx.html#do-not-configure-the-hostname-first
Follow FedFree’s instructions:
Generate a LetsEncrypt certificate
Read:
Generate a LetsEncrypt certificate for the new website, for the domain name:
# certbot certonly --webroot -w /var/www/example.com --must-staple --rsa-key-size 4096 --agree-tos -w /var/www/letsencrypt -d example.com --register-unsafely-without-email
for the subdomain www
, for example:
# certbot certonly --webroot -w /var/www/example.com --must-staple --rsa-key-size 4096 --agree-tos -w /var/www/letsencrypt -d www.example.com --register-unsafely-without-email
Then you can check that example.com and www.example directories are created:
# ls /etc/letsencrypt/live/
About --webroot
: https://eff-certbot.readthedocs.io/en/stable/using.html#webroot.
Place index.html in root
# touch /var/www/example.com/index.html
or the folder of your site.
Add CAA to DNS
example.com. CAA 128 issue "letsencrypt.org"
CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames.
Long story: https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum
more informaorgtion on CAA: https://letsencrypt.org/docs/caa/
Tests
Run curl tests and the SSL test (you should get A+), see: https://fedfree.org/docs/http/debian-nginx.html#tests
Then:
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
And reload nginx:
# systemctl reload nginx
Back up the LetsEncrypt certificate
Back up the LetsEncrypt directory: https://yctct.com/backup-letsencrypt-folder-from-remote-to-local
Renew LetsEncrypt certificate automatically
See: https://yctct.com/renew-certificates
personal computing command-line interface (cli) gnu linux trisquel shell literacy wiki nginx hosting letsencrypt certbot