Let's Try Let's Encrypt

If you get this

gpg: keyring `/tmp/tmptwv64yji/secring.gpg' created
gpg: keyring `/tmp/tmptwv64yji/pubring.gpg' created
gpg: requesting key XXXXXXX from hkp server keyserver.ubuntu.com
gpgkeys: key YOURKEY can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper general error
gpg: keyserver communications error: unknown pubkey algorithm
gpg: keyserver receive failed: unknown pubkey algorithm
Failed to add key.

I Tried this

sudo apt-key adv --recv-key --keyserver keyserver.ubuntu.com YOURKEY

And it worked! So I continued sudo apt-get update Then sudo apt-get install python-certbot-nginx It will uses 29.4 MB of disk space. You'll get prompt to continue. Hit [Y]

Check firewall status

I tried to check ufw status sudo ufw status It returned Status: inactive sudo ufw status verbose Status: inactive :( So I tried sudo apt-get install ufw In retropspect it was not needed at all because status was still inactive after the installation.

Kick start the firewall

I found the command online for waking it up. sudo ufw enable It warned me Command may disrupt existing ssh connections. Proceed with operation (y|n)? Yeah right enabling firewall could lead myself being kicked out of connection but I hit [y], no choice. I tried checking status again. sudo ufw status Status: active :) So I added sudo ufw allow 'Nginx Full' it returned

Rule added
Rule added (v6)

I added command below to delete regular HTTP as I won't need it anymore. I have Full now. sudo ufw delete allow 'Nginx HTTP' It returned

Could not delete non-existent rule
Could not delete non-existent rule (v6)

Because there wasn't any ALLOWs for HTTP. At this point I noticed there isn't any ALLOWs for SSH access. I opened new window and tried to connect to my server via ssh. It failed. That means I let myself be kicked out by firewall I've just set. I should have to do something before time's out. sudo ufw allow ssh OR sudo ufw allow 22/tcp according to this site nixCraft

Rule added for ssh shown below

To                         Action      From
--                         ------      ----
Nginx Full                 ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
Nginx Full (v6)            ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)

:)

Use Certbot to get certificate

sudo certbot --nginx -d mybrailler.com -d www.mybrailler.com

I was asked my email address as it is first time for me. There were a couple of prompt for agreeing their policies. Keep hitting Y.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I chose 2: Redirect as I wanted my users to use encrypt pages.

Done

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mybrailler.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mybrailler.com/privkey.pem
   Your cert will expire on 2018-04-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

Do dry run to to make sure auto renew is on

sudo certbot renew --dry-run

Issue: Jan 11, 2018

Let's Encrypt team announced TLS-SNI validation will remain disabled for new accounts. They continue to renewal only validation.

• 2018.01.11 Update Regarding ACME TLS-SNI and Shared Hosting Infrastructure
• Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

After reading articles above I tried

sudo certbot certonly --webroot -w /var/www/daishodesign.com -d daishodesign.com -d www.daishodesign.com

But I got this.

Failed authorization procedure. daishodesign.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://daishodesign.com/.well-known/acme-challenge/-l_Niy9bYjAZmEvbXCZnWTgxlmDZr1YMkMNfY7sswaI: 

I couldn't get it worked. (Mar 3, 2018)