How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04 / 18.04

Introduction

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, we will show you how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04. We will cover how to install the Let’s Encrypt client, generate SSL certificates, and configure Nginx to use the certificates. We will also show you how to automatically renew the certificates.

How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04 / 18.04

1. Install Certbot

Before you can secure your Nginx web server with Let’s Encrypt, you need to install Certbot, the official Let’s Encrypt client.

To install Certbot on Ubuntu 20.04 / 18.04, run the following command:

$ sudo apt-get install certbot

2. Generate a Let’s Encrypt SSL Certificate

Once Certbot is installed, you can generate a Let’s Encrypt SSL certificate for your Nginx web server.

To generate a Let’s Encrypt SSL certificate, run the following command:

$ sudo certbot –nginx

3. Configure Nginx to Use the SSL Certificate

Once the SSL certificate is generated, you need to configure Nginx to use the SSL certificate.

To do this, open the Nginx configuration file in a text editor:

$ sudo nano /etc/nginx/sites-available/default

Then, add the following lines to the server block:

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Save and close the file.

4. Restart Nginx

Finally, you need to restart Nginx for the changes to take effect.

To restart Nginx, run the following command:

$ sudo systemctl restart nginx
[ad_1]

Introduction

Any website that aspires to attract visitors needs to include SSL/TLS encryption for its domain. SSL/TLS certificates ensure a safe connection between your web server and browsers.

Let’s Encrypt is a free certificate authority that allows you to set up such protection. It is the simplest way to secure your Nginx server.

In this article, you will find the simplest way to secure your Nginx server by obtaining Let’s Encrypt certificates using the Certbot software. 

How to install LetsEncrypt on Nginx

Prerequisites

  • A system running Ubuntu 20.04 (or Ubuntu 18.04)
  • Access to a terminal window/command line
  • Sudo or root privileges on local/remote machines
  • Nginx installed and set up
  • A registered domain name
  • A server block configured for that domain name

How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04

Step 1: Install Certbot

Certbot is an open-source software tool for automatically enabling HTTPS using Let’s Encrypt certificates.

The first step to securing Nginx with Let’s Encrypt is to install Certbot. To do so, start by opening a terminal window and updating the local repository:

sudo apt update

Then, download and install Certbot and its Nginx plugin by running:

sudo apt install certbot python3-certbot-nginx

Type y to confirm the installation and hit Enter.

Step 2: Check Nginx Configuration

As noted in the prerequisites, you should already have a registered domain and an Nginx server block for that domain. As an example, this article uses the domain example.com.

To check whether it is set up correctly, open the Nginx configuration file:

sudo nano /etc/nginx/sites-available/example.com

Then, locate the server_name directive and make sure it is set to your domain name. As you want to include the domain name with and without the www. prefix, the line should look similar to the one below:

server_name example.com www.example.com;

Note: If you need to make changes to the Nginx configuration file, make sure to save the modified file. Then, check the configuration syntax with the command sudo nginx -t and restart the service with sudo systemctl reload nginx.

Step 3: Adjust Firewall to Allow HTTPS Traffic

The next step is to adjust the firewall to allow HTTPS traffic.

If you followed the Nginx installation guide, you already enabled your firewall to allow Nginx HTTP. As you are adding Let’s Encrypt certificates, you need to configure the firewall for encrypted traffic.

1. To ensure your firewall is active and allows HTTPS traffic, run the command:

sudo ufw status

The output should tell you UFW is active and give you a list of set rules. In the following example, it shows that the firewall allows Nginx HTTP traffic, but not HTTPS.

Check UFW status.

Nginx has three (3) profiles you can add as rules:

  • Nginx HTTP (opens port 80)
  • Nginx HTTPS (opens port 443 – encrypted traffic)
  • Nginx Full (opens port 80 and 443)

2. To allow encrypted traffic, you can either add the Nginx HTTPS profile or use Nginx Full and delete the existing Nginx HTTP rule:

a) Allow Nginx HTTPS traffic by running the command:

sudo ufw allow 'Nginx HTTPS'
Allow Nginx traffic in firewall.

b) Remove Nginx HTTP and use Nginx Full instead with:

sudo ufw deny 'Nginx HTTP'
sudo ufw allow 'Nginx Full'
Add HTTPS traffic to firewall rules.

3. Verify you added a rule that allows HTTPS traffic by using the ufw status command.

Check UFW rules.

Step 4: Obtain the SSL/TLS Certificate

Nginx’s plugin for Certbot reconfigures Nginx and reloads its configuration when needed. Therefore, the only thing you need to do is generate certificates with the NGINX plug‑in.

1. To do so, run the command:

sudo certbot --nginx -d example.com -d www.example.com

2. The output asks you to configure your HTTPS settings. Enter your email address and agree to the terms of service to continue.

3. Once you configure HTTPS, Certbot completes generating the certificate and reloads Nginx with the new settings.

4. Finally, the output displays that you have successfully generated a certificate and specifies the location of the certificate on your server.

Step 5: Enable Automatic Certificate Renewal

Since Let’s Encrypt certificates expire every 90 days, Nginx recommends setting up and automatic renewal cron job.

1. First, open the crontab configuration file for the current user:

crontab -e

2. Add a cron job that runs the certbot command, which renews the certificate if it detects the certificate will expire within 30 days. Schedule it to run daily at a specified time (in this example, it does so at 05:00 a.m.):

0 5 * * * /usr/bin/certbot renew --quiet

The cron job should also include the --quiet attribute, as in the command above. This instructs certbot not to include any output after performing the task.

Enable automatic certificate renewal.

3. Once you added the cron job, save the changes, and exit the file.

Note: Want to learn more about cron jobs? Refer to our article on How to Set Up Cron Jobs and master running automated processes on your system at a scheduled time.

Conclusion

If you followed the steps outlined in this article, you should have successfully secured your Nginx with Let’s Encrypt that will generate SSL/TLS certificates for your domain. In addition, you should have enabled Certbot to renew certificates automatically.

[ad_2]

How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04 / 18.04

Let’s Encrypt is a free, automated, and open Certificate Authority (CA). It provides free SSL/TLS certificates to secure websites. In this tutorial, we will show you how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04.

Prerequisites

  • A server running Ubuntu 20.04 / 18.04.
  • A domain name pointed to your server IP.
  • A non-root user with sudo privileges.
  • Nginx installed on your server.

Step 1 – Install Certbot

Certbot is a free and open-source tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. It is a command-line client written in Python by the Electronic Frontier Foundation.

First, update the apt package index:

sudo apt update

Then, install Certbot with the following command:

sudo apt install certbot python3-certbot-nginx

Step 2 – Obtain an SSL Certificate

Once the Certbot is installed, run the following command to obtain an SSL certificate for your domain:

sudo certbot --nginx -d example.com -d www.example.com

You will be asked to provide an email address for important account notifications and to agree to the terms of service. After that, you will be asked to choose whether or not to redirect HTTP traffic to HTTPS.

Once the installation is completed, you should see the following output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-08-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Step 3 – Verify SSL Certificate

Now, you can verify the SSL certificate with the following command:

sudo certbot certificates

You should see the following output:

Found the following certs:
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2020-08-20 11:59:59+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Step 4 – Test Auto Renewal

Let’s Encrypt certificates are valid for 90 days. It is recommended to renew the certificates before they expire. Certbot can be used to automatically renew the certificates before they expire.

You can test the auto renewal process with the following command:

sudo certbot renew --dry-run

If everything is fine, you should see the following output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

Conclusion

In this tutorial, you have learned how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04. You can now easily secure your website with free SSL/TLS certificates.

Jaspreet Singh Ghuman

Jaspreet Singh Ghuman

Jassweb.com/

Passionate Professional Blogger, Freelancer, WordPress Enthusiast, Digital Marketer, Web Developer, Server Operator, Networking Expert. Empowering online presence with diverse skills.

jassweb logo

Jassweb always keeps its services up-to-date with the latest trends in the market, providing its customers all over the world with high-end and easily extensible internet, intranet, and extranet products.

GSTIN is 03EGRPS4248R1ZD.

Contact
Jassweb, Rai Chak, Punjab, India. 143518
Item added to cart.
0 items - 0.00