Secure Nginx with Let’s Encrypt on Ubuntu 18.04

Let’s Encrypt is a free and open Certificate Authority (CA). It provides a simple way to obtain, install and renew free TLS/SSL certificates. This tutorial outlines how to obtain and install free Let’s Encrypt SSL certificate and Secure Nginx on Ubuntu 18.04 server.

Prerequisites#

• Ubuntu server with a non-root user with sudo privileges.
• Nginx must installed and configured, as shown in this tutorial.
• Have a Nginx server block for your domain, as shown in this tutorial.
• Your domain name should pointing to your server IP address.

Install Let’s Encrypt on Ubuntu#

Here, outlines steps to use Certbot tool to obtain a free SSL certificate for Nginx on Ubuntu 18.04 server. Now a days, Let’s Encrypt SSL certificates are trusted by almost all browsers.

Install Certbot Client#

You can easily obtain, install and renew Let’s Encrypt SSL certificates, using Certbot client package. It is useful to configure web servers to use the SSL certificates. The certbot package is included in the default Ubuntu repositories.

First of all, we will update the packages list index by typing:

sudo apt update

Now install Certbot client by executing below command:

sudo apt install python-certbot-nginx

Also, you can verify that certbot is installed successfully or not by typing:

certbot --version

Setting Up Firewall#

If your server is protected by UFW firewall then you need to adjust firewall to allow HHTPS traffic.

To see the current settings by type:

sudo ufw status

Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To get HTTPS traffic, you need to allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now status will look like as below:

Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

Obtain Let’s Encrypt SSL Certificate on Nginx#

You can obtain SSL certificates with multiple ways. Here, we will use certbot client to obtain a SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Here, we are requesting for example.com and www.example.com domains. If this is first time to install then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

Next, If validation got success it will ask you to configure HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select option 1 or 2 as per your choice and hit Enter to continue. Nginx Server Blocks will update based on your selected option and it will reload Nginx to take new settings effect.

Finally, your domain is secured with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.

Auto Renew Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can renew SSL certificate before it get expired by typing:

sudo certbot renew

In addition, you can setup auto renew process for Let’s Encrypt SSL certificates by adding a cronjob. Execute below command to open crontab:

sudo crontab -e

Next, add the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Save and close the file.

You also can verify certbot auto-renewal process by typing:

sudo certbot renew --dry-run

Conclusion#

In this guide, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx to use the certificates. At the end of tutorial, you learned to set up a cronjob for automatic certificate renewal.

You can know more about how to use Certbot, their documentation is a good starting point.