Secure Nginx on Ubuntu 18.04 w/ Let’s Encrypt Free SSL/TLS Certificates

letsencrypt_nginx_ssl_featured_ubuntu

Let’s Encrypt is a Certificate Authority (CA), developed by the Internet Security Research Group, that provides free and easily obtainable SSL/TLS certificates. Such certificates are required to enable HTTPS on web servers.

Let’s Encrypt also provides a very convenient software client, called Certbot, that automates most of the process of obtaining and installing the certificate and is fully automated for Apache and Nginx.

In this tutorial we’ll be using Certbot to obtain and install a Let’s Encrypt free certificate for Nginx on Ubuntu 18.04.

Table of Contents
  1. Prerequisites
  2. Step 1 — Install Certbot
  3. Step 2 — Verify Nginx Configuration
  4. Step 3 — Allow HTTPS through UFW Firewall
  5. Step 4 — Obtain Free SSL Certificates
  6. Step 5 — Checking SSL Certificate Auto-Renewal
  7. Conclusion

Prerequisites

For this tutorial you’ll need the following:

  • It’s recommended but not necessary to operate as a non-root sudo user. If you haven’t set that up, you can follow our tutorial on creating a sudo user on Ubuntu
  • Also recommended but not necessary is to have UFW Firewall enabled. You can find how to set it up by following our tutorial on how to configure UFW on Ubuntu.
  • Nginx installed on your Ubuntu 18.04, with a server block for your domain. In this tutorial we use /etc/nginx/sites-available/dracula.host. If you don’t have this set up, you can follow our tutorial on how to install Nginx on Ubuntu 18.04, and replace our example domain there, with your domain.
  • A fully registered domain name. In this tutorial we’ll use dracula.host as our example, and you’ll have to replace it with your own domain when running commands. You can buy domain names at good prices on Namecheap.com or free domains at Freenom.com, or just use your favorite registrar.
  • Both of the following DNS records set up:
    • An A record with your_domain.com pointing at your server’s public IP address
    • An A record with www.your_domain.com pointing at your server’s public IP address

Step 1 — Install Certbot

Certbot development is very active and he Certbot versions found in the Ubuntu default repository tend to be slightly outdated, but the developers also maintain a Ubuntu software repository that has up-to-date versions so we’ll use that repository instead.

First add it:

$ sudo add-apt-repository ppa:certbot/certbot

Press ENTER to accept and add it.

Now update your package index and install the Nginx plugin for Certbot:

$ sudo apt install python-certbot-nginx

Certbot is now ready to use, but before we configure SSL for Nginx, we need to check on Nginx’s current configuration.

Step 2 — Verify Nginx Configuration

Certbot will automatically configure SSL for you, and for that it needs to find the correct server block in your nginx configuration. It does this by checking the server_name directive that matches the domain you’re requesting the server for.

If you followed our previous tutorial on how to install Nginx, you should have your server block set up for your domain at /etc/nginx/sites-available/your_site.com with the server_name directive set.

We can check our server block by opening the serve block file with our favorite text editor:

$ sudo nano /etc/nginx/sites-available/your_site.com

Here you should be able to see your current server_name directive, and it should look like this:

...
server_name you_site.com www.your_site.com
...

If it does look like that, then everything is fine and you can exit the editor. If not, then update it as in the example, and replacing where you see your_site.com with your domain.

To verify that the syntax in correct in our server block, run:

$ sudo nginx -t

If you get an error then please check for any typos and run the command again, or leave us a comment and we’ll try to assist as soon as possible.

If everything is OK then we can reload Nginx to load the new configuration:

$ sudo systemctl reload nginx

Now we should be all set and Certbot will be able to find the correct server block.

Step 3 — Allow HTTPS through UFW Firewall

If you’ve followed our prerequisites and have UFW firewall enabled, then we’ll have to change the settings to allow HTTPS traffic.

If you’ve followed the UFW tutorial, then you may remember that applications create Application Profiles for UFW, when they’re installed, and Nginx registers a few application profiles that will make our job easier.

You can check the current UFW settings by running:

$ sudo ufw status

The output may look something like this.

Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

From the looks of it, only HTTP (port 80) traffic is allowed to the web server on IPv4 and IPv6, but we need both HTTP and HTTPS (port 80 and port 443).

To allow HTTPS traffic, we’ll allow the Nginx Full profile, which is an easier way of allowing traffic on port 80 and port 443, and delete the Nginx HTTP profile since leaving it would be redundant.

To do this run the following commands:

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

To make sure, let’s check ufw status again:

$ sudo ufw status

The output would look something like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Step 4 — Obtain Free SSL Certificates

There are a good number of ways you can obtain SSL certificates using Certbot, by using plugins. The Nginx plugin also takes care of reconfiguring and reloading Nginx whenever necessary. To use the plugin, run the following command:

$ sudo certbot --nginx -d your_site.com -d www.your_site.com

The command we just used runs certbot with the --nginx plugin. We used -d to specify the domains for which we’re requesting the certificate.

If this is the first time you’re running cetbot on this machine, then you’ll be prompted to enter your email address and if you accept the Licensing Terms and after that, if you would like to share your email to receive news from the Electronic Frontier Foundation which is an organization that works towards digital freedom ( In short, they’re trustworthy, don’t spam, and are fighting the good fight, in our opinion ).

You only need to accept the Licensing Terms to proceed (A).

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

You are not required to share your email, but can do so if you’d like to receive emails regarding their work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Next, you’ll be prompted to answer whether you want to redirect all HTTP traffic to HTTPS. This is an important step!

Choose option 2, so everyone visiting, for example, http://dracula.host will be actually be redirected to https://dracula.host

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

After that, the Let’s Encrypt Client should install your certificate and configure your website to redirect all traffic to HTTPS.

Congratulations! You have successfully enabled https://dracula.host and
https://www.dracula.host

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dracula.host
https://www.ssllabs.com/ssltest/analyze.html?d=www.dracula.host
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dracula.host/fullchain.pem                             
   Your key file has been saved at:                                             
   /etc/letsencrypt/live/dracula.host/privkey.pem                               
   Your cert will expire on 2019-01-21. To obtain a new or tweaked              
   version of this certificate in the future, simply run certbot again          
   with the "certonly" option. To non-interactively renew *all* of              
   your certificates, run "certbot renew"                                       
 - Your account credentials have been saved in your Certbot                     
   configuration directory at /etc/letsencrypt. You should make a               
   secure backup of this folder now. This configuration directory will          
   also contain certificates and private keys obtained by Certbot so            
   making regular backups of this folder is ideal.                              
 - If you like Certbot, please consider supporting our work by:                 

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate           
   Donating to EFF:                    https://eff.org/donate-le

The certificates are now applied to your website. Go ahead and visit your website and you should notice that you get redirected to https://your_site.com and the browser indicates that your sites is secure.

You can also test your server usin the SSL Labs Test. You should get an A at minimum.

There’s one more thing we need to do and you’ll be all set up.

Step 5 — Checking SSL Certificate Auto-Renewal

Everything is all set up, but we want to make sure of one more thing.

Let’s Encrypt certificates expire in 90 days. Normally we’d have to either manually renew or set up an auto-renewal cron job, but certbot took care of this for us, but adding the renew script in /etc/cron.d. This script will run twice a day, and will renew any certificate that’s within 30 days of expiring.

We’ll just want to make sure the renewal process goes smoothly. For this we can do a test on it by doing a dry run:

$ sudo certbot renew --dry-run

If you don’t get any errors, then everything is all set up correctly. When Cerbot renews your certificates, it will also reload Nginx to apply the changes.

If the renewal process fails, then you’ll be notified via the email you provided at the beginning of the process.

Conclusion

To recap, you’ve successfully installed the Let’s Encrypt client, Certbot, downloaded the FREE SSL Certificates for your domain, configured Nginx to use them and set up automatic certificate renewal. Well done.

If you have any questions, then you can either check the official Certbot documentation, or feel free to get in touch with us and will try to help ASAP.

If you’re in the market for a great deal on Linux VPS, then do check out our Linux KVM plans. They start at 1GB RAM + 10GB SSD, for only $9.99/mo.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments