How to secure Nginx with Let's Encrypt on Ubuntu 18.04

Last updated on June 30, 2020

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. The certificate is valid for 90 days, during which renewal can take place at any time. Certbot automated the entire process and easy to install SSL certificates on both Apache and Nginx. In this article, we are going to explain how to obtain the free TLS/SSL certificate step by step on Ubuntu 18.04.

Prerequisites

You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges. Both of the following DNS records set up for your server.

  • An A record with example.com pointing to your server’s public IP address. 
  • An A record with www.example.com pointing to your server’s public IP address.

Make sure you have an Nginx server block for your domain.

Install Certbot

Certbot is a free software tool to automate the Let's Encrypt certificates installation and enable the HTTPS on the websites. First, add the repository to Ubuntu repo using the below command:

sudo add-apt-repository ppa:certbot/certbot

Install Certbot’s Nginx

sudo apt install python-certbot-nginx

Update Firewall Allows HTTPS

If you are using ufw firewall in your server you need to allow HTTPS traffic. Using the below command to check the status of your ufw firewall

sudo ufw status

We hope you will get the following output like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

You can allow the HTTPS traffic by using the following commands:

sudo ufw allow 'Nginx Full'sudo ufw delete allow 'Nginx HTTP'

To verify firewall status it should look like this:

sudo ufw status
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Obtaining an SSL Certificate

Certbot allows you to obtain an SSL certificate through plugins. The Nginx plugin will take care of the remaining configuration etc. To use the plugin by enter the below command:

sudo certbot --nginx -d example.com -d www.example.com

In the above command replace the example.com with your respective domain name. This runs the Certbot tool with Nginx plugin -d to specify the domain names.

If you are run this command on the first time it will prompt you to enter your email address and also agree on the terms and conditions. Next Certbot automatically communicate with Let's Encrypt server then run a challenge to verify that you control the domain you are requesting for an SSL certificate.

If that was successful, then you will get the output look like this:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit the ENTER. This will automatically update your Nginx configuration and reload the server with the new configuration. Now you will get the following output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now your certificates are downloaded, installed, and loaded. To verify it by reloading your website using https://. It should indicate that the site is properly secured, usually with a lock icon. To test your server using this link, now you will get an grade.

Verifying Certbot Auto-Renewal

Let's Encrypt certificates are only valid for 90 days. This command is used to verify the auto-renewal process. It takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

sudo certbot renew --dry-run

Conclusion

Congratulation, Let's Encrypt SSL certificate has been installed and the configuration was updated for your domain. And the SSL renewal also automated.