Let’s Encrypt is a Certificate Authority (CA) that provides free SSL/TLS certificates. These certificates are crucial for establishing a secure, encrypted connection between a web server and a user’s browser. Certbot is a software client designed to automate the process of obtaining these certificates and configuring web servers, such as Apache and Nginx, to use them. This automation simplifies the task of securing websites considerably.
This guide details how to secure your Nginx web server on Ubuntu 20.04 with a free SSL certificate from Let’s Encrypt using Certbot.
Before proceeding, please ensure that you meet the following prerequisites.
Prerequisites
- An Ubuntu 20.04 server with sudo-enabled non-root user access and a firewall configured.
- A registered domain name. If you haven’t registered one yet, consider providers like Bluehoster who offer various domain extensions (e.g., .com, .net, .in).
- Both DNS records for your server properly configured:
- An “A” record for your domain (e.g., example.com) pointing to your server’s public IP address.
- Another “A” record for the “www” subdomain (e.g., www.example.com) pointing to the same public IP address.
- Nginx installed and a server block configured for your domain.
Steps to Secure Nginx with Let’s Encrypt on Ubuntu 20.04
1. Installing Certbot
The first step in obtaining an SSL certificate with Let’s Encrypt is to install the Certbot software on your server.
For Nginx servers, you can install Certbot along with its Nginx plugin using the following command:
sudo apt install certbot python3-certbot-nginx
Once installed, Certbot is ready for use. However, we need to make some checks to ensure our Nginx configuration is correct before Certbot can automatically configure SSL for us.
2. Confirming Nginx’s Configuration
Certbot relies on the `server_name` directive in your Nginx server block configuration to identify the domain for which you are requesting a certificate. It needs to locate the correct server block automatically.
Assuming you followed the Nginx installation guide, you should already have a server block for your domain, for example, at `/etc/nginx/sites-available/example.com`. This file should contain the `server_name` directive correctly set.
Open the domain’s configuration file using a text editor like `nano`:
sudo nano /etc/nginx/sites-available/example.com
Verify that the `server_name` line is present and correctly configured, like this:
server_name example.com www.example.com; ...
If it matches, proceed to the next step. If not, correct it accordingly.
After saving and closing the file, verify that the Nginx configuration file is free of syntax errors:
sudo nginx -t
If there are any errors, revisit your server block configuration file to correct them. Once done and the configuration syntax is verified, reload Nginx to apply the new settings:
sudo systemctl reload nginx
This ensures that Certbot can seamlessly find and update the server block with SSL configurations.
Next, allow HTTPS traffic through the firewall.
3. Allowing HTTPS Through the Firewall
Now, we need to configure the firewall to allow HTTPS traffic. Ensure the `ufw` firewall is enabled as the primary prerequisite for a smooth installation process. When Nginx is installed, it registers a few profiles with ufw.
First, check the current firewall settings.
sudo ufw status
You’ll see an output similar to the one below (depending on if you already allowed HTTP traffic):
Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
To allow HTTPS traffic, you need to allow the `Nginx Full` profile and remove the `Nginx HTTP` profile:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Verify the status again:
sudo ufw status
The final output after the adjustments should be similar to the following:
Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Now, proceed to obtain the SSL certificates using Certbot.
4. Get an SSL Certificate
Certbot provides several plugins that help in acquiring SSL certificates. The Nginx plugin can reconfigure Nginx and reload the required configurations seamlessly. Run the following command to use the Nginx Plugin.
sudo certbot --nginx -d example.com -d www.example.com
The `-d` option specifies the domain names for which the certificate should be valid.
When you run Certbot for the first time, you will be prompted for your email address and to agree to the terms of service. Certbot then communicates with the Let’s Encrypt server and performs a challenge to verify you control the requested domain.
If this is successful, you’ll be prompted to configure your HTTPS settings.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Provide the number for your desired output. For this example, select ‘2’ to redirect all HTTP traffic to HTTPS. Certbot updates the configuration, and Nginx reloads with the changes. Once complete, Certbot provides a message confirming successful installation.
Output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-08-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
With the SSL certificates downloaded and loaded, access your site using `https://` and confirm the browser displays the lock icon in the address bar. However, Let’s Encrypt certificates are valid only for 90 days, requiring regular renewal.
5. Auto Renewal of Certificates
Certbot enables you to automate the certificate renewal process. Firstly, perform a dry run of the process:
sudo certbot renew --dry-run
Check for any errors in the output. Normally, Certbot renews the certificates automatically when necessary and reloads Nginx. If the renewal fails, Let’s Encrypt sends an email notification warning you of the upcoming certificate expiration.
In this guide, you successfully configured Let’s Encrypt certbot client, acquired SSL certificates for your domain, adjusted Nginx settings to utilize these and set up automatic certificate renewals. If you need any further assistance, contact out technical support.
