This page looks best with JavaScript enabled

Setup Let’s Encrypt free SSL on a Nginx server in 5 steps

 ·  ☕ 9 min read
Featured Image

What you’ll need ?

  1. Non-root user with sudo privileges
  2. Nginx installed and running (serving web pages over HTTP) before continuing with this guide
  3. DNS A record that points your domain name to the public IP address of your server. This is required since Let’s Encrypt uses this info. to validate that you own the domain for which you are requesting a certificate. For example, if you want to obtain a certificate for example.com, the DNS must resolve to your server’s public IP for the validation process to work.

What you need to do ?

Step 1 : Install the certbot client and the plugin.

Certbot is a fully-featured software by Let’s Encrypt that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.

If you are on Ubuntu/Debian:

On Ubuntu servers, the client is available in a PPA maintained by the Certbot team. Now add the universe and certbot repositories. Use the following commands to install the client & the plugin for Nginx.

sudo apt update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx

If you are on CentOS/RHEL

To add the EPEL repository on CentOS 8 , run the following command:

sudo dnf install epel-release

Now that you have access to the repository, you can install all the required packages:

sudo dnf install certbot python3-certbot-nginx mod_ssl

Once installed, use the following command to test if the client is working correctly.

sudo certbot --help

If you see a list of all commands & their description, then you are ready to go.

Step 2 : Setup Nginx

If you have satisfied the requirement no. 3 mentioned above (i.e. you have a DNS A record that points your domain name to the public IP address of your server), then you can skip this step & jump to step 3.

Otherwise I assume you are beginning with a fresh installation of Nginx. Since Certbot looks for and modifies the server block in your NGINX configuration, it is necessary to ensure that, there exists a Nginx configuration file for your domain. Let’s assume your domain to be example.com .

Let’s assume your domain to be example.com . Now you need to create a file in the /etc/nginx/sites-enabled/ directory named example.com.conf. Then enter the following:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name example.com www.example.com;
}
Don’t forget to replace example.com with your real domain.

Now run the following command which will verify the syntax / check for errors in the example.com.conf file & then reload the new Nginx configuration:

nginx -t && nginx -s reload
If you come across an error like:
nginx: [error] invalid PID number "" in "/run/nginx.pid"
then you can use
sudo /etc/init.d/nginx start or simply sudo service nginx start to start the service. Then you have to reload Nginx using nginx -t && nginx -s reload

Step 3 : Obtain SSL certificate

Let’s assume your domain to be example.com . We will use the default NGINX plug‑in for certbot, which takes care of obtaining SSL, reconfiguring NGINX and reloading its configuration.

To run the plugin, enter

sudo certbot --nginx

This should result in a prompt like this:

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

You need not worry about spam etc. since your email will be used to contact you for renewal and security purposes.

Next you should see a prompt like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

You can read their TOS & then press Aand then ENTER to agree to the TOS.
Then you should see a prompt like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Enter Y or N as per you preference & then press ENTER to proceed.
Then you should see a prompt like this:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You can choose any of them by entering 1 or 2 or leave it blank to select all.

Cerbot automatically fetches your domains from Nginx example.com.conf file. If you wish to get SSL for any other subdomain/domain you need to ensure that they are present in example.com.conf file before itself.
This is also the reason why you were asked to have Nginx installed and running (HTTP) before continuing with this guide.

After this you should see a prompt like this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/nginx/sites-enabled/example.com.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/example.com.conf
Enabling available site: /etc/nginx/sites-enabled/example.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

For maximum security It’s always recommended to enable HTTP to HTTPS redirect. Thus enter 2 followed by enter to enable this.

Finally you should see:

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/example.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
As the prompt says ‘You have successfully enabled SSL’ 🥳 🎉 .

Now if you cat your example.com.conf you will see that certbot has modified it to configure SSL for your website

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name  example.com www.example.com;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

Step 4: Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.
A successful test should result in a ‘A’ rating.

ssllabs test result

Step 5: Test auto renewal

SSL Certificates issued by Letsencrypt expire after 90 days. Fortunately you need not do anything.
The certbot package we installed takes care of renewals by including a renew script to /etc/cron.d which runs twice a day and automatically renews any certificate that’s within thirty days of expiration.

In order test the working of this renewal process, you can run:

sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to adopt the changes.

If by any chance the automated renewal process fails, Let’s Encrypt will send a message to the email you specified, warning you abut certificate expiry.

Step 6 (optional): Deny HTTP traffic

After you set up HTTPS, you can optionally deny HTTP traffic (non-secure) on port 80. If you are using UFW (Uncomplicated Firewall) which the default firewall configuration tool for Ubuntu, then use

ufw delete allow 80/tcp

Summary

In this guide, you learnt how to install Let’s Encrypt client certbot, configure it to get an SSL certificate for your domain, and confirmed that Certbot’s automatic renewal service is active.

If you have further questions about using Certbot, you can read their extensive documentation.

References

Share
Follow us

You might also like


©Ssl.wiki 2023, All Rights Reserved.