As per the latest security standards of web and website, Google has made things clearer about using HTTPS on a website. These changes also brought a shift to how HTTPS encrypted sites were treated as the new default.
Now you may understand the importance of HTTPS on a website.
In this tutorial, you will use Let's Encrypt
Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
It is bundled with a software client called
Certbot that attempts to automate all the processes of obtaining and installing a certificate on your web server.
Before starting make sure you have:
non-rootuser and a firewall.
- A registered domain name.
- Both of the following DNS records set up for your server.
1. An A record with
example.compointing to your server’s public IP address.
2. An A record with
www.example.compointing to your server’s public IP address.
- Nginx installed on your device.
- You should have server block for your domain i.e. should have domain name server block inside Nginx
How to find the server block for my domain?
You can search the server block for your domain in
In order to get the Let's Encrypt SSL certificate we first need to install the
Certbot software on the server.
Certbot and it’s
Nginx plugin with
$ sudo apt install certbot python3-certbot-nginx
We have successfully installed the
Certbot software and its
Nginx plugin. Now let's verify some of the Nginx configurations.
Validate Nginx Configuration
Certbot will look after the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a
server_name directive that matches the domain you request a certificate for.
To check, open the configuration file for your domain using
nano or your favorite text editor:
$ sudo nano /etc/nginx/sites-available/example.com
Find the existing
server_name line. It should look like this:
If it does, exit your editor and move on to the next step.
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits by running the command
$ sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
$ sudo systemctl reload nginx
Certbot can now find the correct
server block and update it automatically.
Next, let’s update the firewall to allow HTTPS traffic.
Allowing HTTPS Through the Firewall
Now, you’ll need to adjust the settings to allow for HTTPS traffic.
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
$ sudo ufw allow 'Nginx Full' $ sudo ufw delete allow 'Nginx HTTP'
Your status should now look like this:
$ sudo ufw status
Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
$ sudo certbot --nginx -d example.com -d www.example.com
Now this will run the
--nginx plugin to configure SSL for domain name specified by
If this is your first time running
certbot, you will be prompted to enter an email address and agree to the terms of service.
Certobt will communicate with the Let's Encrypt server and then run a challenge to verify the domain name that you have provided to get the certificate.
If that’s successful,
certbot will ask how you’d like to configure your HTTPS settings.
Choose an option according to your need and hot ENTER. After that, the configuration will be updated and Nginx will be reloaded to adapt to the new settings.
Certbot will show an output message like this:
Congrats! Your certificate has been downloaded, installed, and loaded. Now, try reloading your website with
https:// in order to see the results.
You can test your server using the SSLLabs Server Test, it will get an A grade.
Now, let’s finish by testing the renewal process.
Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. The
Certbot package we installed takes care of this for us by adding a
systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with
$ sudo systemctl status certbot.timer
To test the renewal process, you can do a dry run with
$ sudo certbot renew --dry-run
If you see no errors, you’re all set. The
Certbot package will automatically lookup and renew your certificates and reload Nginx to update the settings. if there any errors occur then a consolidated mail will be sent to your registered email id.
In this tutorial, we have installed Let's Encrypt's software
Certbot to secure our Nginx Server and serve over HTTPS on the internet.
If you have further questions or need any help then Create New Topic in Codebulbs Forum.
- Let's Encrypt Official Documentation Website
- DigitalOcean Community Tutorials
- Nginx Documentation Website
If something is missing in this post or if you found some part confusing, then you can:
- Create a New Topic on Ask Codebulbs
- File an issue on the GitHub
- Open a new discussion on GitHub
- Make a tweet at the @thelovekesh
We love hearing from you!
Share your experience as a reaction!
Thank you for the feedback! (Join Codebulbs Writers Club)
Sorry to hear that. Please tell us how we can improve. (Suggest an Improvement)