Securing Your Nginx Server with Let's Encrypt
author image

Author:

Naman AroraWed, 17 Jan, 2024

Introduction

Let’s Encrypt, a Certificate Authority (CA), offers a straightforward method to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. This tutorial walks you through the process of obtaining a free SSL certificate for Nginx on Ubuntu 22.04 using Certbot and ensures automatic renewal.

Prerequisites

Before diving into the tutorial, ensure you have the following:

  • An Ubuntu 22.04 server with a sudo-enabled non-root user.
  • A registered domain name (e.g., example.com).
  • DNS records set up for your server: A record for example.com and www.example.com pointing to your server’s public IP address.
  • Nginx installed and configured with a server block for your domain (e.g., /etc/nginx/sites-available/example.com).

Step 1 — Installing Certbot

The first step is to install Certbot and its Nginx plugin. Open your terminal and run:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Certbot is now installed, and we can proceed to configure Nginx.

Step 2 — Confirming Nginx’s Configuration

Certbot requires the correct Nginx server block configuration to automate SSL setup. Verify that your server block file (e.g., /etc/nginx/sites-available/example.com) includes a valid server_name directive:

sudo nano /etc/nginx/sites-available/example.com

Ensure the server_name line matches your domain:

server_name example.com www.example.com;

Save the file and reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

Step 3 — Allowing HTTPS Through the Firewall

If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw upon installation.

You can see the current setting by typing:

sudo ufw status

To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Next, let’s run Certbot and fetch our certificates.

Step 4 — Obtaining an SSL Certificate

Use Certbot to obtain the SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Follow the prompts to enter your email and agree to the terms of service. Certbot will handle the certificate issuance and configuration.

Let’s finish by testing the renewal process.

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt certificates are valid for 90 days, and Certbot takes care of automatic renewal. Confirm the renewal timer is active:

sudo systemctl status certbot.timer

For a dry run of the renewal process, use:

sudo certbot renew --dry-run

If no errors occur, your setup is complete. Certbot will automatically renew certificates when needed.

Conclusion

You've successfully installed Let’s Encrypt SSL certificates, configured Nginx, and set up automatic renewal for enhanced server security.

Happy Coding !

Tags |SSL CertificatesNginx SecurityHTTPS SetupServer Encryption
PreviousNext
author image

Naman Arora

Technical Author with a passion for translating the complexities of software, computers, and emerging technologies into accessible and engaging content. Armed with a background in computer science, I blend technical expertise with a flair for effective communication in my writing. Join me on this tech-savvy journey as we explore coding languages, unravel the nuances of software architecture, and stay informed about the latest tech trends. Let's navigate the digital frontier together!

Portfolio designed and developed by Naman Arora