SSL for Raspberry Pi Nginx server with dynamic IP and Custom Domain

This posting is about how to host your own Raspberry Pi web server at home with dynamic IP with custom domain and SSL.

I tried many different methods and different ways to install certbot, but on RPi Raspbian Jessie Lite, this is the only way.

Goal

Host own web site(s) on Raspberry pi, with custom domain from home, and support SSL.

Environment

• Raspberry pi + Raspbian Jessie Lite
• Fast internet
• Your ISP allows port 80 and 443
• Own domain and you can edit DNS

Prep-work

1. Set up Raspberry pi with static IP, and configure your router to port forward to your RPi web server, port 80 and 443(SSL) 
2. Set up custom domain with dynamic IP.  Make sure you have correct settings in DNS set up.
3. Set up Nginx on RPi

Set up SSL on RPi  

• You have to do above prep-work before follow below steps.
• It is assumed your web site's root doc directory is: /var/www/mysite/
• It is assumed your custom domain is: www.mydomain.com
• Nginx is up and running, and accessible by the custom domain.

STEPS:

1. Modify Nginx configuration as follows:

Add SSL -- see the highlighted lines:

server {
    listen 80;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;

and add this also:

    location ~ /.well-known {

        allow all;

    }

and restart Nginx.

2. Setting up Certbot.  Copy & paste line by line below.  It is important that your web server is running and accessible by the domain (e.g. http://www.mydomain.com):

sudo -i
mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

# Below step will take a while and will ask you some questions -- your email and your agreements.

certbot-auto certonly --webroot -w /var/www/mysite -d www.mydomain.com


3. Once everything works, add to this to root user's cron:

sudo -i
crontab -e

and add this line to renew the cert every 3 months:

0 0 1 */3 * /opt/certbot/certbot-auto renew --quiet --no-self-upgrade >> /var/log/letsencrypt/renew.log 2>&1

REFERENCES

• https://certbot.eff.org/#pip-nginx
• https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-8
• https://certbot.eff.org/docs/using.html
• http://www.thegeekstuff.com/2009/06/15-practical-crontab-examples
• How Let's Encrypt works
• https://en.wikipedia.org/wiki/Let%27s_Encrypt