Let’s Encrypt is a Certificate Authority (CA), developed by the Internet Security Research Group, that provides free and easily obtainable SSL/TLS certificates. Such certificates are required to enable HTTPS on web servers.
Let’s Encrypt also provides a very convenient software client, called Certbot, that automates most of the process of obtaining and installing the certificate and is fully automated for Apache and Nginx.
In this tutorial we’ll be using Certbot to obtain and install a Let’s Encrypt free certificate for Nginx on Ubuntu 18.04.
For this tutorial you’ll need the following:
It’s recommended but not necessary to operate as a non-root sudo user. If you haven’t set that up, you can follow our tutorial on creating a sudo user on Ubuntu
Also recommended but not necessary is to have UFW Firewall enabled. You can find how to set it up by following our tutorial on how to configure UFW on Ubuntu.
Nginx installed on your Ubuntu 18.04, with a server block for your domain. In this tutorial we use
/etc/nginx/sites-available/dracula.host. If you don’t have this set up, you can follow our tutorial on how to install Nginx on Ubuntu 18.04, and replace our example domain there, with your domain.
A fully registered domain name. In this tutorial we’ll use
dracula.hostas our example, and you’ll have to replace it with your own domain when running commands. You can buy domain names at good prices on Namecheap.com or free domains at Freenom.com, or just use your favorite registrar.
Both of the following DNS records set up:
- An A record with
your_domain.compointing at your server’s public IP address
- An A record with
www.your_domain.compointing at your server’s public IP address
- An A record with
Step 1 — Install Certbot
Certbot development is very active and he Certbot versions found in the Ubuntu default repository tend to be slightly outdated, but the developers also maintain a Ubuntu software repository that has up-to-date versions so we’ll use that repository instead.
First add it:
$ sudo add-apt-repository ppa:certbot/certbot
Press ENTER to accept and add it.
Now update your package index and install the Nginx plugin for Certbot:
$ sudo apt install python-certbot-nginx
Certbot is now ready to use, but before we configure SSL for Nginx, we need to check on Nginx’s current configuration.
Step 2 — Verify Nginx Configuration
Certbot will automatically configure SSL for you, and for that it needs to find the correct
server block in your nginx configuration. It does this by checking the
server_name directive that matches the domain you’re requesting the server for.
If you followed our previous tutorial on how to install Nginx, you should have your server block set up for your domain at
/etc/nginx/sites-available/your_site.com with the
server_name directive set.
We can check our server block by opening the serve block file with our favorite text editor:
$ sudo nano /etc/nginx/sites-available/your_site.com
Here you should be able to see your current
server_name directive, and it should look like this:
... server_name you_site.com www.your_site.com ...
If it does look like that, then everything is fine and you can exit the editor. If not, then update it as in the example, and replacing where you see
your_site.com with your domain.
To verify that the syntax in correct in our server block, run:
$ sudo nginx -t
If you get an error then please check for any typos and run the command again, or leave us a comment and we’ll try to assist as soon as possible.
If everything is OK then we can reload Nginx to load the new configuration:
$ sudo systemctl reload nginx
Now we should be all set and Certbot will be able to find the correct
Step 3 — Allow HTTPS through UFW Firewall
If you’ve followed our prerequisites and have UFW firewall enabled, then we’ll have to change the settings to allow HTTPS traffic.
If you’ve followed the UFW tutorial, then you may remember that applications create Application Profiles for UFW, when they’re installed, and Nginx registers a few application profiles that will make our job easier.
You can check the current UFW settings by running:
$ sudo ufw status
The output may look something like this.
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
From the looks of it, only HTTP (port 80) traffic is allowed to the web server on IPv4 and IPv6, but we need both HTTP and HTTPS (port 80 and port 443).
To allow HTTPS traffic, we’ll allow the Nginx Full profile, which is an easier way of allowing traffic on port 80 and port 443, and delete the Nginx HTTP profile since leaving it would be redundant.
To do this run the following commands:
$ sudo ufw allow 'Nginx Full' $ sudo ufw delete allow 'Nginx HTTP'
To make sure, let’s check
ufw status again:
$ sudo ufw status
The output would look something like this:
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Step 4 — Obtain Free SSL Certificates
There are a good number of ways you can obtain SSL certificates using Certbot, by using plugins. The Nginx plugin also takes care of reconfiguring and reloading Nginx whenever necessary. To use the plugin, run the following command:
$ sudo certbot --nginx -d your_site.com -d www.your_site.com
The command we just used runs
certbot with the
--nginx plugin. We used
-d to specify the domains for which we’re requesting the certificate.
If this is the first time you’re running
cetbot on this machine, then you’ll be prompted to enter your email address and if you accept the Licensing Terms and after that, if you would like to share your email to receive news from the Electronic Frontier Foundation which is an organization that works towards digital freedom ( In short, they’re trustworthy, don’t spam, and are fighting the good fight, in our opinion ).
You only need to accept the Licensing Terms to proceed
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
You are not required to share your email, but can do so if you’d like to receive emails regarding their work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
Next, you’ll be prompted to answer whether you want to redirect all HTTP traffic to HTTPS. This is an important step!
2, so everyone visiting, for example,
http://dracula.host will be actually be redirected to
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
After that, the Let’s Encrypt Client should install your certificate and configure your website to redirect all traffic to HTTPS.
Congratulations! You have successfully enabled https://dracula.host and https://www.dracula.host You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=dracula.host https://www.ssllabs.com/ssltest/analyze.html?d=www.dracula.host - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/dracula.host/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/dracula.host/privkey.pem Your cert will expire on 2019-01-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The certificates are now applied to your website. Go ahead and visit your website and you should notice that you get redirected to
https://your_site.com and the browser indicates that your sites is secure.
You can also test your server usin the SSL Labs Test. You should get an A at minimum.
There’s one more thing we need to do and you’ll be all set up.
Step 5 — Checking SSL Certificate Auto-Renewal
Everything is all set up, but we want to make sure of one more thing.
Let’s Encrypt certificates expire in 90 days. Normally we’d have to either manually renew or set up an auto-renewal cron job, but
certbot took care of this for us, but adding the renew script in
/etc/cron.d. This script will run twice a day, and will renew any certificate that’s within 30 days of expiring.
We’ll just want to make sure the renewal process goes smoothly. For this we can do a test on it by doing a dry run:
$ sudo certbot renew -- dry-run
If you don’t get any errors, then everything is all set up correctly. When Cerbot renews your certificates, it will also reload Nginx to apply the changes.
If the renewal process fails, then you’ll be notified via the email you provided at the beginning of the process.
To recap, you’ve successfully installed the Let’s Encrypt client, Certbot, downloaded the FREE SSL Certificates for your domain, configured Nginx to use them and set up automatic certificate renewal. Well done.
If you have any questions, then you can either check the official Certbot documentation, or feel free to get in touch with us and will try to help ASAP.
If you’re in the market for a great deal on Linux VPS, then do check out our Linux KVM plans. They start at 2GB RAM + 10GB SSD, for only $5.99/mo.