Background:
Let's Encrypt is a Certificate Authority (CA) that enables encrypted HTTPS on web servers by allowing users to obtain and install free TLS/SSL certificates. It simplifies the procedure by offering Certbot, a software client that tries to automate the majority (if not all) of the essential stages. On both Apache and Nginx, the entire process of getting and installing a certificate is currently totally automated.
In this guide, you'll learn how to get a free SSL certificate for Nginx on Ubuntu 18.04 and set it up to renew automatically using Certbot.
Instead of using the default Nginx server block file, this tutorial will use a different file. For each domain, we recommend building new Nginx server block files because it helps to avoid frequent errors.
What you need:
To follow this tutorial, you will need:
-
One Ubuntu 18.04 server set up , including a sudo non-root user and a firewall.
-
A fully registered domain name. This tutorial will use your_domain throughout. You can purchase a domain name on Listed Hosting, or use the domain registrar of your choice.
-
Both of the following DNS records set up for your server.
- An A record with
your_domainpointing to your server’s public IP address. - An A record with
www.your_domainpointing to your server’s public IP address.
- An A record with
-
Nginx installed. Be sure that you have a server block for your domain. Again, this tutorial will use
/etc/nginx/sites-available/your_domainas an example.
1 — Installing Certbot
Installing the Certbot software on your server is the first step in using Let's Encrypt to obtain an SSL certificate.
Most users should install Certbot using snap, a package manager created by Canonical (the company behind Ubuntu) and currently accessible on many Linux distributions:
sudo snap install --classic certbot
Your output will display the current version of Certbot and successful installation:
certbot 1.21.0 from Certbot Project (certbot-eff✓) installedsudo ln -s /snap/bin/certbot /usr/bin/certbot2 — Confirming Nginx’s Configuration
Certbot must be able to locate the relevant server block in your Nginx setup in order to configure SSL automatically. It does this by looking for a server name directive that matches the domain for which you're requesting a certificate.
If you followed the suggested server block setup step in the Nginx installation instruction, you should have a server block for your domain at /etc/nginx/sites-available/your domain with the server name directive set correctly.
To check, use nano or your favorite text editor to access the server block file for your domain:
sudo nano /etc/nginx/sites-available/your_domain
Look for the server name line that already exists. This is what it should look like:
...
server_name your_domain www.your_domain;
...If this is the case, close your editor and proceed to the next step.
If it doesn't, make the necessary changes. After that, save the file and exit the editor. If you're using nano, press CTRL + X, then Y, then ENTER to do so.
Check the syntax of your configuration changes now:
sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
sudo systemctl reload nginx
Certbot can now locate and update the correct server block.
The firewall will then be updated to enable HTTPS traffic.
3 — Allowing HTTPS Through the Firewall
You'll need to adjust the settings to allow HTTPS traffic if you have the ufw firewall enabled, as recommended by the prerequisite guides. Fortunately, Nginx automatically registers a few profiles with ufw when it is installed.
Run the following command to see what the current setting is:
sudo ufw status
You should receive output like this, indicating that only HTTP traffic is allowed to the webserver:
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)To let in additional HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:sudo ufw allow 'Nginx Full'sudo ufw delete allow 'Nginx HTTP'Now when you run the ufw status command it will reflect these new rules:
sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Next, you’ll run Certbot and fetch your certificates.4 — Obtaining an SSL Certificate
Certbot offers a number of plugins that can be used to obtain SSL certificates. The Nginx plugin will take care of reloading the configuration and reconfiguring Nginx as needed. Run the following commands to activate this plugin:
sudo certbot --nginx -d your_domain -d your_domain
This runs certbot with the --nginx plugin, using -d to specify the names you’d like the certificate to be valid for.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server to request a certificate for your domain. If successful, you will receive the following output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2022-01-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for your_domain to /etc/nginx/sites-enabled/your_domain
Successfully deployed certificate for www.your_domain to /etc/nginx/sites-enabled/your_domain
Congratulations! You have successfully enabled HTTPS on https://your_domain and https://www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
Now that you’ve obtained your SSL certificate, the final step is to test the renewal process.
5 — Verifying Certbot Auto-Renewal
The certificates issued by Let's Encrypt are only valid for ninety days. This is to encourage users to automate the renewal of their certificates. By adding a renew script to /etc/cron.d, the certbot package you installed takes care of this. This script runs twice a day and will renew any certificate that is about to expire in the next thirty days.
You can do a dry run with certbot to test the renewal process:
sudo certbot renew --dry-runYou're good to go if you don't get any errors. Certbot will renew your certificates as needed and reload Nginx to reflect the changes.
If the automated renewal procedure fails, Let's Encrypt will send you an email notifying you that your certificate is about to expire,
using the email address you provided.
Conclusion
Installing the Let's Encrypt client certbot, downloading SSL certificates for your domain, configuring Nginx to use these certificates, and setting up automatic certificate renewal were all covered in this guide. Certbot's documentation is a fantastic place to start if you have any additional questions about how to use it.
