Securing a website running with Nginx as a web server can be done with Let’s Encrypt, and that is why we are writing this tutorial for you.
Let’s Encrypt is a Certificate Authority that provides free TLS/SSL certificates valid for 90 days. SSL stands for Secure Sockets Layer and an SSL certificate is a digital certificate that enables encrypted connection and authentication of the website identity. In this blog post, we will use Certbot to obtain a free SSL certificate for Nginx.
Installing Free Let’s Encrypt SSL certificate on Ubuntu 20.04 with Certbot is a straightforward process and should take up to 10 minutes. Let’s get started!
Table of Contents
Prerequisites
- Fresh install of Ubuntu 20.04
- User privileges: root or non-root user with sudo privileges
- Valid A record of the domain pointed to you server IP addess (yourdomain.com and www.yourdomain.com)
Update the System
Before we start with the installation process we need to update the system to get the latest packages and updates available.
sudo apt update -y && sudo apt upgrade -y
Install Nginx Web Server
To install the Nginx web server execute the following commands:
sudo apt install nginx -y
Once, the installation is completed, enable and start the Nginx service:
sudo systemctl enable nginx && sudo systemctl start nginx
To check if everything is OK, check the status of the service:
sudo systemctl status nginx
You should receive the following output:
root@vps:~# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-02-06 19:34:56 UTC; 11s ago
Docs: man:nginx(8)
Process: 322857 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 322858 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 322859 (nginx)
Tasks: 5 (limit: 4617)
Memory: 5.0M
CGroup: /system.slice/nginx.service
├─322859 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
Create Nginx Virtual Host
Before we continue with installing Free Let’s Encrypt we need to create a virtual host file containing our domain name. Go into the Nginx configuration directory and create the file.
cd /etc/nginx/conf.d/ && sudo nano yourdomain.com.conf
Paste, the following lines of code.
server {
listen 80;
root /var/www/html;
index index.php index.html index.htm;
server_name yourdomain.com;
error_log /var/log/nginx/yourdomain.com_error.log;
access_log /var/log/nginx/yourdomain.com_access.log;
client_max_body_size 100M;
location / {
try_files $uri $uri/ /index.php?$args;
}
}
Check the Nginx configuration syntax if is OK.
nginx -t
You should receive the following output:
root@vps:/etc/nginx/conf.d# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If you receive this output you can restart the Nginx service and access your website.
sudo systemctl restart nginx
Install Certbot
At this moment, our website is running over the HTTP protocol. Installing Free Let’s Encrypt SSL certificate will make our website run securely over the HTTPS protocol. Before we start with obtaining the certificate we need to install the python certbot for Nginx.
sudo apt install certbot python3-certbot-nginx
Once, the certbot is installed successfully we can proceed with the main step in this tutorial about obtaining an SSL certificate.
Obtaining an SSL Certificate
To run the certbot with Nginx plugin specifying the name of your domain execute the following command:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
After you execute this command there will be a couple of entries that you will need to fill, such as the email address, agreement about the terms and conditions, if you want to share your email adress or not, and the redirect options.
root@vps:~# sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@yourdomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for yourdomain.com http-01 challenge for www.yourdomain.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/example.conf Deploying Certificate to VirtualHost /etc/nginx/conf.d/example.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/example.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/example.conf
If everything is set up as should be the certificate will be installed and you will receive the message below.
Congratulations! You have successfully enabled https://yourdomain.com and https://www.yourdomain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem Your cert will expire on 2022-05-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now, you can access your website securely at https://yourdomain.com
Congratulations! You successfully secured the Nginx with Free Let’s Encrypt SSL certificate on your Ubuntu 20.04 server.
Of course, you don’t have to install the SSL certificate on your own, and if you use one of our SSD VPS Hosting services, in which case you can simply ask our expert system administrators to install it for you and secure your website. They are available 24×7 and will take care of your request immediately.
If you liked this post, on how to secure Nginx with Lets Encrypt on Ubuntu 20.04, please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.