As per the latest security standards of web and website, Google has made things clearer about using HTTPS on a website. These changes also brought a shift to how HTTPS encrypted sites were treated as the new default.
Now you may understand the importance of HTTPS on a website.
In this tutorial, you will use Let's Encrypt Certbot
to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
It is bundled with a software client called Certbot
that attempts to automate all the processes of obtaining and installing a certificate on your web server.
Prerequisites
Before starting make sure you have:
sudo-enabled
non-root
user and a firewall.- A registered domain name.
- Both of the following DNS records set up for your server.
1. An A record withexample.com
pointing to your server’s public IP address.
2. An A record withwww.example.com
pointing to your server’s public IP address. - Nginx installed on your device.
- You should have server block for your domain i.e. should have domain name server block inside Nginx
sites-available
.
How to find the server block for my domain?
You can search the server block for your domain in/etc/nginx/sites-available/example.com
Installing Certbot
In order to get the Let's Encrypt SSL certificate we first need to install the Certbot software
on the server.
Install Certbot
and it’s Nginx plugin
with apt
:
$ sudo apt install certbot python3-certbot-nginx
We have successfully installed the Certbot software
and its Nginx plugin
. Now let's verify some of the Nginx configurations.
Validate Nginx Configuration
Certbot
will look after the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name
directive that matches the domain you request a certificate for.
To check, open the configuration file for your domain using nano
or your favorite text editor:
$ sudo nano /etc/nginx/sites-available/example.com
Find the existing server_name
line. It should look like this:
...
server_name example.com www.example.com;
...
If it does, exit your editor and move on to the next step.
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits by running the command
$ sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
$ sudo systemctl reload nginx
Certbot
can now find the correct server
block and update it automatically.
Next, let’s update the firewall to allow HTTPS traffic.
Allowing HTTPS Through the Firewall
Now, you’ll need to adjust the settings to allow for HTTPS traffic.
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'
Your status should now look like this:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
$ sudo certbot --nginx -d example.com -d www.example.com
Now this will run the Certbot
with --nginx
plugin to configure SSL for domain name specified by -d
If this is your first time running certbot
, you will be prompted to enter an email address and agree to the terms of service.
Now, Certobt
will communicate with the Let's Encrypt server and then run a challenge to verify the domain name that you have provided to get the certificate.
If that’s successful, certbot
will ask how you’d like to configure your HTTPS settings.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Choose an option according to your need and hot ENTER. After that, the configuration will be updated and Nginx will be reloaded to adapt to the new settings. Certbot
will show an output message like this:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Congrats! Your certificate has been downloaded, installed, and loaded. Now, try reloading your website with https://
in order to see the results.
You can test your server using the SSLLabs Server Test, it will get an A grade.
Now, let’s finish by testing the renewal process.
Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. The Certbot
package we installed takes care of this for us by adding a systemd
timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with systemctl
:
$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
Triggers: ● certbot.service
To test the renewal process, you can do a dry run with certbot
:
$ sudo certbot renew --dry-run
If you see no errors, you’re all set. The Certbot
package will automatically lookup and renew your certificates and reload Nginx to update the settings. if there any errors occur then a consolidated mail will be sent to your registered email id.
Conclusion
In this tutorial, we have installed Let's Encrypt's software Certbot
to secure our Nginx Server and serve over HTTPS on the internet.
If you have further questions or need any help then Create New Topic in Codebulbs Forum.
Sources
- Let's Encrypt Official Documentation Website
- DigitalOcean Community Tutorials
- Nginx Documentation Website
Something Missing?
If something is missing in this post or if you found some part confusing, then you can:
- Create a New Topic on Ask Codebulbs
- File an issue on the GitHub
- Open a new discussion on GitHub
- Make a tweet at the @thelovekesh
We love hearing from you!
Give Feedback
Share your experience as a reaction!
Thank you for the feedback! (Join Codebulbs Writers Club)
Sorry to hear that. Please tell us how we can improve. (Suggest an Improvement)