thelovekesh

Category: Ubuntu

  • Install Let’s Encrypt with Nginx on Ubuntu 20.04

    Install Let’s Encrypt with Nginx on Ubuntu 20.04

    With evolving web security standards, Google has emphasized the importance of using HTTPS, making it the new default for websites. As a result, HTTPS is now essential for securing your site and building user trust.

    In this tutorial, you’ll learn how to use Let’s Encrypt Certbot to obtain a free SSL/TLS certificate for Nginx on Ubuntu 20.04, and how to configure automatic certificate renewal.

    Let’s Encrypt is a free, automated, and open certificate authority (CA) provided by the nonprofit Internet Security Research Group (ISRG). It offers a simple way to enable HTTPS by issuing free SSL certificates.

    To streamline the process, Let’s Encrypt works with Certbot, a software client that automates the tasks of requesting, installing, and renewing certificates on your web server.

    Prerequisites

    Before you begin, make sure you have the following:

    • A sudo-enabled non-root user and a firewall configured on your server.
    • A registered domain name.
    • The following DNS records set up for your domain:
      • An A record pointing example.com to your server’s public IP address.
      • An A record pointing www.example.com to your server’s public IP address.
    • Nginx installed on your server.
    • A server block (virtual host) configured for your domain in Nginx, typically located in the /etc/nginx/sites-available/ directory.

    Installing Certbot

    To obtain a Let’s Encrypt SSL certificate, you’ll first need to install the Certbot software on your server.

    Use the following command to install Certbot along with its Nginx plugin:

    sudo apt install certbot python3-certbot-nginx

    Once the installation is complete, Certbot and its Nginx plugin will be ready to use.

    Next, we’ll review your Nginx configuration to ensure it’s properly set up for certificate issuance.

    Validate Nginx Configuration

    Certbot needs to identify the correct server block in your Nginx configuration to automatically install the SSL certificate. It does this by locating a server_name directive that matches the domain you’re requesting a certificate for.

    To check this, open your domain’s Nginx configuration file with a text editor:

    sudo nano /etc/nginx/sites-available/example.com

    Look for the server_name line. It should look something like:

    server_name example.com www.example.com;
    • If the domain names are correctly listed, you can exit the editor.
    • If not, update the server_name line to include your domain and subdomain. Then save and close the file.

    Next, test your Nginx configuration for syntax errors:

    sudo nginx -t
    • If you receive an error, reopen the file and correct any typos.
    • Once the test passes, reload Nginx to apply the changes:
    sudo systemctl reload nginx

    With the correct server block in place, Certbot will now be able to automatically configure SSL for your domain.

    Up next, let’s configure the firewall to allow HTTPS traffic.

    Allowing HTTPS Through the Firewall

    Before you request an SSL certificate, ensure your firewall allows HTTPS traffic.

    Enable the Nginx Full profile, which includes rules for both HTTP and HTTPS, and then remove the redundant Nginx HTTP rule:

    sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

    Check the firewall status to confirm the changes:

    sudo ufw status

    You should see output similar to:

    Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

    Obtaining an SSL Certificate

    Certbot can obtain and install SSL certificates using a variety of plugins. Here, we’ll use the Nginx plugin, which automatically updates your Nginx configuration and reloads it as needed.

    Run the following command, replacing the domain names with your own:

    sudo certbot --nginx -d example.com -d www.example.com

    If this is your first time using Certbot, you’ll be prompted to:

    1. Enter a valid email address (for renewal and security notices).
    2. Agree to the terms of service.
    3. (Optional) Subscribe to EFF’s newsletter.

    Certbot will then communicate with Let’s Encrypt and run a challenge to verify your domain ownership.

    Once verified, you’ll be asked how to handle HTTP traffic:

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

    Choose an option and press Enter. Certbot will then update your Nginx configuration and reload the server.

    If successful, you’ll see a message like:

    IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

    Now, visit your site at https://example.com to confirm it’s secured.

    For a detailed security report, test your domain with SSL Labs’ SSL Test. A properly configured site typically receives an A grade.

    Verifying Certbot Auto-Renewal

    Let’s Encrypt certificates are valid for 90 days, but Certbot includes a systemd timer that automatically renews them.

    To check the status of the auto-renewal timer:

    sudo systemctl status certbot.timer

    You should see something like:

    ● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
   Triggers: ● certbot.service

    To test the renewal process manually and ensure everything is working:

    sudo certbot renew --dry-run

    If no errors appear, your renewal setup is working correctly. Certbot will handle automatic renewals and reload Nginx when needed. In case of any issues, notifications will be sent to the email address you provided during setup.

    Conclusion

    Securing your website with HTTPS is no longer optional—it’s a key part of maintaining user trust and meeting modern web standards. In this tutorial, you’ve learned how to use Let’s Encrypt and Certbot to install a free SSL certificate on an Nginx server, as well as how to configure automatic renewals to keep your certificate up to date. With these steps complete, your website is now more secure and ready for encrypted traffic.

    For ongoing security, remember to regularly monitor your server and test your SSL configuration. A secure website not only protects your users—it builds your reputation online.