
Let’s Encrypt is a free and open Certificate Authority (CA). It provides a simple way to obtain, install and renew free TLS/SSL certificates. This tutorial outlines how to obtain and install free Let’s Encrypt SSL certificate and Secure Nginx on Ubuntu 18.04 server.
Prerequisites
- Ubuntu server with a non-root user with sudo privileges.
- Nginx must installed and configured, as shown in this tutorial.
- Have a Nginx server block for your domain, as shown in this tutorial.
- Your domain name should pointing to your server IP address.
Install Let’s Encrypt on Ubuntu
Here, outlines steps to use Certbot tool to obtain a free SSL certificate for Nginx on Ubuntu 18.04 server. Now a days, Let’s Encrypt SSL certificates are trusted by almost all browsers.
Install Certbot Client
You can easily obtain, install and renew Let’s Encrypt SSL certificates, using Certbot client package. It is useful to configure web servers to use the SSL certificates. The certbot package is included in the default Ubuntu repositories.
First of all, we will update the packages list index by typing:
sudo apt update
Now install Certbot client by executing below command:
sudo apt install python-certbot-nginx
Also, you can verify that certbot is installed successfully or not by typing:
certbot --version
Setting Up Firewall
If your server is protected by UFW firewall then you need to adjust firewall to allow HHTPS traffic.
To see the current settings by type:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
To get HTTPS traffic, you need to allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Now status will look like as below:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Obtain Let’s Encrypt SSL Certificate on Nginx
You can obtain SSL certificates with multiple ways. Here, we will use certbot client to obtain a SSL certificate:
sudo certbot --nginx -d example.com -d www.example.com
Here, we are requesting for example.com and www.example.com domains. If this is first time to install then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.
Next, If validation got success it will ask you to configure HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select option 1 or 2 as per your choice and hit Enter to continue. Nginx Server Blocks will update based on your selected option and it will reload Nginx to take new settings effect.
Finally, your domain is secured with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.
Auto Renew Let’s Encrypt SSL certificate
Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can renew SSL certificate before it get expired by typing:
sudo certbot renew
In addition, you can setup auto renew process for Let’s Encrypt SSL certificates by adding a cronjob. Execute below command to open crontab:
sudo crontab -e
Next, add the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire.
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Save and close the file.
You also can verify certbot auto-renewal process by typing:
sudo certbot renew --dry-run
Conclusion
In this guide, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx to use the certificates. At the end of tutorial, you learned to set up a cronjob for automatic certificate renewal.
You can know more about how to use Certbot, their documentation is a good starting point.
Leave a Reply