Let’s Encrypt is a Certificate Authority (CA), developed by the Internet Security Research Group, that provides free and easily obtainable SSL/TLS certificates. Such certificates are required to enable HTTPS on web servers.

Let’s Encrypt also provides a very convenient software client, called Certbot, that automates most of the process of obtaining and installing the certificate and is fully automated for Apache and Nginx.

In this tutorial we’ll be using Certbot to obtain and install a Let’s Encrypt free certificate for Nginx on Ubuntu 18.04.

Prerequisites

For this tutorial you’ll need the following:

  • It’s recommended but not necessary to operate as a non-root sudo user. If you haven’t set that up, you can follow our tutorial on creating a sudo user on Ubuntu

  • Also recommended but not necessary is to have UFW Firewall enabled. You can find how to set it up by following our tutorial on how to configure UFW on Ubuntu.

  • Nginx installed on your Ubuntu 18.04, with a server block for your domain. In this tutorial we use /etc/nginx/sites-available/dracula.host. If you don’t have this set up, you can follow our tutorial on how to install Nginx on Ubuntu 18.04, and replace our example domain there, with your domain.

  • A fully registered domain name. In this tutorial we’ll use dracula.host as our example, and you’ll have to replace it with your own domain when running commands. You can buy domain names at good prices on Namecheap.com or free domains at Freenom.com, or just use your favorite registrar.

  • Both of the following DNS records set up:

    • An A record with your_domain.com pointing at your server’s public IP address
    • An A record with www.your_domain.com pointing at your server’s public IP address

Step 1 — Install Certbot

Certbot development is very active and he Certbot versions found in the Ubuntu default repository tend to be slightly outdated, but the developers also maintain a Ubuntu software repository that has up-to-date versions so we’ll use that repository instead.

First add it:

Press ENTER to accept and add it.

Now update your package index and install the Nginx plugin for Certbot:

Certbot is now ready to use, but before we configure SSL for Nginx, we need to check on Nginx’s current configuration.

Step 2 — Verify Nginx Configuration

Certbot will automatically configure SSL for you, and for that it needs to find the correct server block in your nginx configuration. It does this by checking the server_name directive that matches the domain you’re requesting the server for.

If you followed our previous tutorial on how to install Nginx, you should have your server block set up for your domain at /etc/nginx/sites-available/your_site.com with the server_name directive set.

We can check our server block by opening the serve block file with our favorite text editor:

Here you should be able to see your current server_name directive, and it should look like this:

If it does look like that, then everything is fine and you can exit the editor. If not, then update it as in the example, and replacing where you see your_site.com with your domain.

To verify that the syntax in correct in our server block, run:

If you get an error then please check for any typos and run the command again, or leave us a comment and we’ll try to assist as soon as possible.

If everything is OK then we can reload Nginx to load the new configuration:

Now we should be all set and Certbot will be able to find the correct server block.

Step 3 — Allow HTTPS through UFW Firewall

If you’ve followed our prerequisites and have UFW firewall enabled, then we’ll have to change the settings to allow HTTPS traffic.

If you’ve followed the UFW tutorial, then you may remember that applications create Application Profiles for UFW, when they’re installed, and Nginx registers a few application profiles that will make our job easier.

You can check the current UFW settings by running:

The output may look something like this.

From the looks of it, only HTTP (port 80) traffic is allowed to the web server on IPv4 and IPv6, but we need both HTTP and HTTPS (port 80 and port 443).

To allow HTTPS traffic, we’ll allow the Nginx Full profile, which is an easier way of allowing traffic on port 80 and port 443, and delete the Nginx HTTP profile since leaving it would be redundant.

To do this run the following commands:

To make sure, let’s check ufw status again:

The output would look something like this:

Step 4 — Obtain Free SSL Certificates

There are a good number of ways you can obtain SSL certificates using Certbot, by using plugins. The Nginx plugin also takes care of reconfiguring and reloading Nginx whenever necessary. To use the plugin, run the following command:

The command we just used runs certbot with the --nginx plugin. We used -d to specify the domains for which we’re requesting the certificate.

If this is the first time you’re running cetbot on this machine, then you’ll be prompted to enter your email address and if you accept the Licensing Terms and after that, if you would like to share your email to receive news from the Electronic Frontier Foundation which is an organization that works towards digital freedom ( In short, they’re trustworthy, don’t spam, and are fighting the good fight, in our opinion ).

You only need to accept the Licensing Terms to proceed (A).

You are not required to share your email, but can do so if you’d like to receive emails regarding their work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

Next, you’ll be prompted to answer whether you want to redirect all HTTP traffic to HTTPS. This is an important step!

Choose option 2, so everyone visiting, for example, http://dracula.host will be actually be redirected to https://dracula.host

After that, the Let’s Encrypt Client should install your certificate and configure your website to redirect all traffic to HTTPS.

The certificates are now applied to your website. Go ahead and visit your website and you should notice that you get redirected to https://your_site.com and the browser indicates that your sites is secure.

You can also test your server usin the SSL Labs Test. You should get an A at minimum.

There’s one more thing we need to do and you’ll be all set up.

Step 5 — Checking SSL Certificate Auto-Renewal

Everything is all set up, but we want to make sure of one more thing.

Let’s Encrypt certificates expire in 90 days. Normally we’d have to either manually renew or set up an auto-renewal cron job, but certbot took care of this for us, but adding the renew script in /etc/cron.d. This script will run twice a day, and will renew any certificate that’s within 30 days of expiring.

We’ll just want to make sure the renewal process goes smoothly. For this we can do a test on it by doing a dry run:

If you don’t get any errors, then everything is all set up correctly. When Cerbot renews your certificates, it will also reload Nginx to apply the changes.

If the renewal process fails, then you’ll be notified via the email you provided at the beginning of the process.

Conclusion

To recap, you’ve successfully installed the Let’s Encrypt client, Certbot, downloaded the FREE SSL Certificates for your domain, configured Nginx to use them and set up automatic certificate renewal. Well done.

If you have any questions, then you can either check the official Certbot documentation, or feel free to get in touch with us and will try to help ASAP.

If you’re in the market for a great deal on Linux VPS, then do check out our Linux KVM plans. They start at 2GB RAM + 10GB SSD, for only $5.99/mo.


Vlad

Tech Support

Leave a Comment

LIMITED TIME SPECIAL 💀

Enter your email below to get 20% OFF on any of our Linux VPS plans and receive weekly deals on our services!