Skip to main content

Install Let's Encrypt with Nginx on Ubuntu 20.04

Lovekesh Kumar
Written by Lovekesh Kumar
Article on 5 min read

Get started with DigitalOcean and host your projects for free. Get $100 credits now!

As per the latest security standards of web and website, Google has made things clearer about using HTTPS on a website. These changes also brought a shift to how HTTPS encrypted sites were treated as the new default.
Now you may understand the importance of HTTPS on a website.

In this tutorial, you will use Let's Encrypt Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.

It is bundled with a software client called Certbot that attempts to automate all the processes of obtaining and installing a certificate on your web server.


Before starting make sure you have:

  • sudo-enabled non-root user and a firewall.
  • A registered domain name.
  • Both of the following DNS records set up for your server.
    1.  An A record with pointing to your server’s public IP address.
    2. An A record with pointing to your server’s public IP address.
  • Nginx installed on your device.
  • You should have server block for your domain i.e. should have domain name server block inside Nginx sites-available.
How to find the server block for my domain?
You can search the server block for your domain in /etc/nginx/sites-available/

Installing Certbot

In order to get the Let's Encrypt SSL certificate we first need to install the Certbot software on the server.

Install Certbot and it’s Nginx plugin with apt:

$ sudo apt install certbot python3-certbot-nginx

We have successfully installed the Certbot software and its Nginx plugin. Now let's verify some of the Nginx configurations.

Validate Nginx Configuration

Certbot will look after the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.

To check, open the configuration file for your domain using nano or your favorite text editor:

$ sudo nano /etc/nginx/sites-available/

Find the existing server_name line. It should look like this:


If it does, exit your editor and move on to the next step.

If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits by running the command

$ sudo nginx -t

If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:

$ sudo systemctl reload nginx

Certbot can now find the correct server block and update it automatically.

Next, let’s update the firewall to allow HTTPS traffic.

Allowing HTTPS Through the Firewall

Now, you’ll need to adjust the settings to allow for HTTPS traffic.

To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

Your status should now look like this:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

$ sudo certbot --nginx -d -d

Now this will run the Certbot with --nginx plugin to configure SSL for domain name specified by -d

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service.

Now, Certobt will communicate with the Let's Encrypt server and then run a challenge to verify the domain name that you have provided to get the certificate.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Choose an option according to your need and hot ENTER. After that, the configuration will be updated and Nginx will be reloaded to adapt to the new settings. Certbot will show an output message like this:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Congrats! Your certificate has been downloaded, installed, and loaded. Now, try reloading your website with https:// in order to see the results.

You can test your server using the SSLLabs Server Test, it will get an A grade.

Now, let’s finish by testing the renewal process.

Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. The Certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.

You can query the status of the timer with systemctl:

$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
   Triggers: ● certbot.service

To test the renewal process, you can do a dry run with certbot:

$ sudo certbot renew --dry-run

If you see no errors, you’re all set.  The Certbot package will automatically lookup and renew your certificates and reload Nginx to update the settings. if there any errors occur then a consolidated mail will be sent to your registered email id.


In this tutorial, we have installed Let's Encrypt's software Certbot to secure our Nginx Server and serve over HTTPS on the internet.
If you have further questions or need any help then Create New Topic in Codebulbs Forum.


Something Missing?

If something is missing in this post or if you found some part confusing, then you can:

We love hearing from you!

Give Feedback

Thank you for the feedback! (Join Codebulbs Writers Club)

Sorry to hear that. Please tell us how we can improve. (Suggest an Improvement)

Codebulbs Writers Club

If you are passionate about web, open-source, or javascript and want to share, join Codebulbs writers club!

Join Program