How to secure your Nginx website with SSL using Let’s Encrypt on Ubuntu 18.04

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates for enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most of the required steps for both Apache and Nginx.

Install certbot

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx
certbot --version

Obtain an SSL certificate

You should already a website configuration for your domain in nginx at /etc/nginx/sites-available/example.com:

server {
...
server_name example.com www.example.com;
...
}

Then obtain an SSL certificate and get certbort do all the configuration by itself for Nginx:

$ sudo certbot --nginx -d example.com -d www.example.com

You can choose to auto redirect HTTP request to HTTPS during this command execution.

You can double check your nginx website configuration after this command /etc/nginx/sites-available/example.com:

server {
server_name example.com;
...
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = hr.teko.vn) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.com;
return 404; # managed by Certbot
}

Then restart your nginx and enjoy your secured HTTPS website:

$ sudo nginx -t
$ sudo service nginx reload

Auto renew Let’s Encrypt’s certificate

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

You can see this cronjob in /etc/cron.d/certbot file:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew - dry-run

If you see no errors, you’re all set. Enjoy your secured website!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Salesforce. I am scared about log4j vulnerability impact

Java If-Else | HackerRank

How to File Bugs Like a Pro

Build your game with Unity

7 Steps to Documentation

Codename Valhalla: the challenges of CI/CD + tangents upon tangents

Why Are We Having Publishing Issues With Sitecore?

Top 10 articles on Docplanner Medium profile in 2019

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chi Thuc Nguyen

Chi Thuc Nguyen

More from Medium

20 days road map plan for Microsoft Azure Certification

DevOps: A Brief Overview

WRITING A CODE FOR COVIDVACCINE STATUS USING SQLITE PYTHON

Working with sqlmap