How to secure your Nginx website with SSL using Let’s Encrypt on Ubuntu 18.04

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates for enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most of the required steps for both Apache and Nginx.

Install certbot

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx
certbot --version

Obtain an SSL certificate

You should already a website configuration for your domain in nginx at /etc/nginx/sites-available/

server {

Then obtain an SSL certificate and get certbort do all the configuration by itself for Nginx:

$ sudo certbot --nginx -d -d

You can choose to auto redirect HTTP request to HTTPS during this command execution.

You can double check your nginx website configuration after this command /etc/nginx/sites-available/

server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
server {
if ($host = {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
return 404; # managed by Certbot

Then restart your nginx and enjoy your secured HTTPS website:

$ sudo nginx -t
$ sudo service nginx reload

Auto renew Let’s Encrypt’s certificate

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

You can see this cronjob in /etc/cron.d/certbot file:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew - dry-run

If you see no errors, you’re all set. Enjoy your secured website!




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Programming, a way of Life.

5 reasons why Agile is better than Waterfall

Implementing Deutsch’s algorithm in qiskit and cirq

Evolving Virtualization Infrastructure and Memory Storage

How to Reset Cherry Mobile Omega XL

Hard Reset your phone

Do you think running code in cloud makes your code run faster ? Let’s rethink



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chi Thuc Nguyen

Chi Thuc Nguyen

More from Medium

The Complete Guide to Understanding LocalStorage

Introduction to the API 102: Building Workflows with APIs in Postman

Prometheus Monitoring

How to Set up mTLS Between Client Java SE Application and Remote OCI API Gateway