Introduction
Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, we will show you how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04. We will cover how to install the Let’s Encrypt client, generate SSL certificates, and configure Nginx to use the certificates. We will also show you how to automatically renew the certificates.
How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04 / 18.04
1. Install Certbot
Before you can secure your Nginx web server with Let’s Encrypt, you need to install Certbot, the official Let’s Encrypt client.
To install Certbot on Ubuntu 20.04 / 18.04, run the following command:
$ sudo apt-get install certbot
2. Generate a Let’s Encrypt SSL Certificate
Once Certbot is installed, you can generate a Let’s Encrypt SSL certificate for your Nginx web server.
To generate a Let’s Encrypt SSL certificate, run the following command:
$ sudo certbot –nginx
3. Configure Nginx to Use the SSL Certificate
Once the SSL certificate is generated, you need to configure Nginx to use the SSL certificate.
To do this, open the Nginx configuration file in a text editor:
$ sudo nano /etc/nginx/sites-available/default
Then, add the following lines to the server block:
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Save and close the file.
4. Restart Nginx
Finally, you need to restart Nginx for the changes to take effect.
To restart Nginx, run the following command:
$ sudo systemctl restart nginx
Introduction
Any website that aspires to attract visitors needs to include SSL/TLS encryption for its domain. SSL/TLS certificates ensure a safe connection between your web server and browsers.
Let’s Encrypt is a free certificate authority that allows you to set up such protection. It is the simplest way to secure your Nginx server.
In this article, you will find the simplest way to secure your Nginx server by obtaining Let’s Encrypt certificates using the Certbot software.
Prerequisites
- A system running Ubuntu 20.04 (or Ubuntu 18.04)
- Access to a terminal window/command line
- Sudo or root privileges on local/remote machines
- Nginx installed and set up
- A registered domain name
- A server block configured for that domain name
How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04
Step 1: Install Certbot
Certbot is an open-source software tool for automatically enabling HTTPS using Let’s Encrypt certificates.
The first step to securing Nginx with Let’s Encrypt is to install Certbot. To do so, start by opening a terminal window and updating the local repository:
sudo apt updateThen, download and install Certbot and its Nginx plugin by running:
sudo apt install certbot python3-certbot-nginxType y to confirm the installation and hit Enter.
Step 2: Check Nginx Configuration
As noted in the prerequisites, you should already have a registered domain and an Nginx server block for that domain. As an example, this article uses the domain example.com.
To check whether it is set up correctly, open the Nginx configuration file:
sudo nano /etc/nginx/sites-available/example.comThen, locate the server_name directive and make sure it is set to your domain name. As you want to include the domain name with and without the www. prefix, the line should look similar to the one below:
server_name example.com www.example.com;Note: If you need to make changes to the Nginx configuration file, make sure to save the modified file. Then, check the configuration syntax with the command sudo nginx -t and restart the service with sudo systemctl reload nginx.
Step 3: Adjust Firewall to Allow HTTPS Traffic
The next step is to adjust the firewall to allow HTTPS traffic.
If you followed the Nginx installation guide, you already enabled your firewall to allow Nginx HTTP. As you are adding Let’s Encrypt certificates, you need to configure the firewall for encrypted traffic.
1. To ensure your firewall is active and allows HTTPS traffic, run the command:
sudo ufw statusThe output should tell you UFW is active and give you a list of set rules. In the following example, it shows that the firewall allows Nginx HTTP traffic, but not HTTPS.
Nginx has three (3) profiles you can add as rules:
- Nginx HTTP (opens port 80)
- Nginx HTTPS (opens port 443 – encrypted traffic)
- Nginx Full (opens port 80 and 443)
2. To allow encrypted traffic, you can either add the Nginx HTTPS profile or use Nginx Full and delete the existing Nginx HTTP rule:
a) Allow Nginx HTTPS traffic by running the command:
sudo ufw allow 'Nginx HTTPS'
b) Remove Nginx HTTP and use Nginx Full instead with:
sudo ufw deny 'Nginx HTTP'sudo ufw allow 'Nginx Full'
3. Verify you added a rule that allows HTTPS traffic by using the ufw status command.
Step 4: Obtain the SSL/TLS Certificate
Nginx’s plugin for Certbot reconfigures Nginx and reloads its configuration when needed. Therefore, the only thing you need to do is generate certificates with the NGINX plug‑in.
1. To do so, run the command:
sudo certbot --nginx -d example.com -d www.example.com2. The output asks you to configure your HTTPS settings. Enter your email address and agree to the terms of service to continue.
3. Once you configure HTTPS, Certbot completes generating the certificate and reloads Nginx with the new settings.
4. Finally, the output displays that you have successfully generated a certificate and specifies the location of the certificate on your server.
Step 5: Enable Automatic Certificate Renewal
Since Let’s Encrypt certificates expire every 90 days, Nginx recommends setting up and automatic renewal cron job.
1. First, open the crontab configuration file for the current user:
crontab -e2. Add a cron job that runs the certbot command, which renews the certificate if it detects the certificate will expire within 30 days. Schedule it to run daily at a specified time (in this example, it does so at 05:00 a.m.):
0 5 * * * /usr/bin/certbot renew --quietThe cron job should also include the --quiet attribute, as in the command above. This instructs certbot not to include any output after performing the task.
3. Once you added the cron job, save the changes, and exit the file.
Note: Want to learn more about cron jobs? Refer to our article on How to Set Up Cron Jobs and master running automated processes on your system at a scheduled time.
Conclusion
If you followed the steps outlined in this article, you should have successfully secured your Nginx with Let’s Encrypt that will generate SSL/TLS certificates for your domain. In addition, you should have enabled Certbot to renew certificates automatically.
How to Secure Nginx with Let’s Encrypt On Ubuntu 20.04 / 18.04
Let’s Encrypt is a free, automated, and open Certificate Authority (CA). It provides free SSL/TLS certificates to secure websites. In this tutorial, we will show you how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04.
Prerequisites
- A server running Ubuntu 20.04 / 18.04.
- A domain name pointed to your server IP.
- A non-root user with sudo privileges.
- Nginx installed on your server.
Step 1 – Install Certbot
Certbot is a free and open-source tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. It is a command-line client written in Python by the Electronic Frontier Foundation.
First, update the apt package index:
sudo apt update
Then, install Certbot with the following command:
sudo apt install certbot python3-certbot-nginx
Step 2 – Obtain an SSL Certificate
Once the Certbot is installed, run the following command to obtain an SSL certificate for your domain:
sudo certbot --nginx -d example.com -d www.example.com
You will be asked to provide an email address for important account notifications and to agree to the terms of service. After that, you will be asked to choose whether or not to redirect HTTP traffic to HTTPS.
Once the installation is completed, you should see the following output:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Step 3 – Verify SSL Certificate
Now, you can verify the SSL certificate with the following command:
sudo certbot certificates
You should see the following output:
Found the following certs:
Certificate Name: example.com
Domains: example.com www.example.com
Expiry Date: 2020-08-20 11:59:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
Step 4 – Test Auto Renewal
Let’s Encrypt certificates are valid for 90 days. It is recommended to renew the certificates before they expire. Certbot can be used to automatically renew the certificates before they expire.
You can test the auto renewal process with the following command:
sudo certbot renew --dry-run
If everything is fine, you should see the following output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Conclusion
In this tutorial, you have learned how to secure Nginx with Let’s Encrypt on Ubuntu 20.04 / 18.04. You can now easily secure your website with free SSL/TLS certificates.
