Secure Nginx Server with Let’s Encrypt on Ubuntu
By Adarsh Sojitra on July 25th, 2019
Nginx is gaining its popularity because it can be used for many purposes. For example, you can use Nginx as a web server but you can also use Nginx as a reverse proxy for other web servers like Apache. No doubt, Nginx performs better than Apache, mainly because Nginx does not come with many modules. It’s important to secure your applications or websites with SSL certificate. In this guide, I am going to show you how to secure your Nginx server with Let’s Encrypt Certbot.
When we say we are going to secure our Nginx server with Let’s Encrypt, we mean using SSL certificates on all the domains hosted on our Nginx server. SSL Certificates are important. Why? Let’s see how SSL certificates will protect your user’s data in brief.
What is Let’s Encrypt and an SSL Certificate?
So, SSL certificates are kind of end-to-end encryption for all the data that is transferred from the browser to your server. So, whenever a user enters some personal information or any kind of information on your website, It will be encrypted before it is sent to your server. Only your server can decrypt the information sent by a user because only your server has a key to decrypt the information.
We can secure our Nginx server using SSL certificates. Especially, For FREE! It’s because Let’s Encrypt is an authority that provides SSL certificates for free to anyone. You just have to verify the domain ownership. In other words, you just have to verify that you have permission to manage a specific domain name.
Finally, we can get started with the guide. However, there are some prerequisites for following this guide. Make sure you already have Nginx installed and configured on your server. If you need help setting up your server with Nginx, Follow our guide to set up a LEMP stack on your Ubuntu server.
Installing Let’s Encrypt Certbot for Nginx on Ubuntu
Finally, It’s time to install a Let’s Encrypt client called Certbot that will help us manage SSL certificates on our server. Not only it will help us manage SSL certificates, but it will also help us issue and renew SSL certificates too!
So, To install Certbot on your Ubuntu server for Nginx, execute the following bunch of commands on your server. Make sure you are logged in as a root user or you have the sudo privileges on your server.
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo apt-add-repository universe $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot python-certbot-nginx
It might take a few minutes to install Certbot on your server. Once done, the installation of Let’s Encrypt on our server is done. Now, Let’s see how we can use Certbot to issue SSL certificates for our websites.
Issue and Install SSL with Let’s Encrypt Nginx
Issue and configure? Yes. Let’s say you already have an SSL certificate that consists of three files. The three files in any SSL certificate are:
- SSL Certificate file (Typically has an extension of .crt)
- Private Key file (Has an extension of .key)
- Chain file (has an extension of .crt or .ca)
If you have these files, you still have to tell your Nginx server to use these files whenever a request is made. To configure the SSL certificate, we have to update virtual host files.
However, if you do not know how to deal with Virtual host files, Certbot can handle this part for you. That is why, in this section of the guide, we will see how to issue and configure an SSL certificate using a single command. To issue an SSL certificate from Let’s Encrypt for our Nginx server, execute the following command.
$ sudo certbot --nginx -d example.com
This command is interactive. It will ask you some questions. First of all, it will ask you for your E-mail address. Enter the correct E-mail address as they will reach you on your E-mail address if SSL certificates are about to expire. After that, it will ask you for your agreement with Let’s Encrypt’s terms of service. The process will move forward only if you agree with the terms.
Then it will ask you if you want to share your E-mail address with the company that develops Certbot, That decision is up to you. After that, it will start issuing an SSL certificate for your domain name. It might take 10-15 seconds to verify the domain name and generate an SSL certificate for your website.
The last question it will ask you is if you want to redirect all HTTP traffic to HTTPS. Say yes and hit enter. That’s all! Now, you will be able to access your website with HTTPS.
Issue SSL Certificate Only
If you are a technical person and you want to manage virtual host files on your own, follow this section of the guide. Certbot has an option that we can use to just issue an SSL certificate for our application. Once the SSL certificate is issued, we can manually edit virtual host files to use the SSL certificate issued by Certbot.
To issue the SSL certificate without automatically updating the virtual host files, execute the certbot command with
certonly option, just like the following example.
$ sudo certbot certonly --nginx -d example.com
It will issue an SSL certificate for your website. However, It will not update any virtual host files. It means that you can update virtual host files as per your requirements. Now, Let’s see how to issue an SSL certificate for a bunch of domain names using Let’s Encrypt Certbot for Nginx server.
Issue SSL certificate for multiple domains
In the majority of cases, we have to issue SSL certificate with at least two domain names. We have to add the www version of our domain name in the SSL certificate. There is nothing to worry about. You can issue a single SSL certificate for the whole bunch of domain names using Certbot. You can add up to 100 domain/subdomain names in a single SSL certificate.
To issue an SSL certificate with a bunch of domain names, execute the certbot command with multiple
-d options or a single
-d option with domains separated with comma, just like the following example.
$ sudo certbot --nginx -d example.com,www.example.com
Or, the other variant of the command would be.
$ sudo certbot --nginx -d example.com -d www.example.com
Now, Let’s see how to renew the SSL certificates issued from Let’s Encrypt using Certbot.
Renew SSL Certificates
The SSL certificates we issue from Let’s Encrypt have 90 days of validity. After 90 days, you have to renew SSL certificates to keep your site running on HTTPS. It is very easy to renew all the certificates that exist on your server. We just have to execute a single command to auto-renew all the SSL certificates on our server.
$ sudo certbot renew
But, You do not have to worry about renewing SSL certificates. It is because this command will be executed twice a day, automatically. However, after issuing the SSL certificate for the first time, you just have to make sure that your server will not face any issue while renewing the SSL certificate automatically.
To make sure that the renewal process will not face any issue, execute the following command to simulate the renewal process instead of actually renewing the SSL certificate.
$ sudo certbot renew --dry-run
So, this is how the renewals will work with Let’s Encrypt Certbot for Nginx server on Ubuntu machine.
Conclusion: So, This is how you can issue, manage, and renew SSL certificates using Let’s Encrypt Certbot for Nginx server. Using Certbot, you can issue as many SSL certificates as you want for Free. It’s always a good idea to secure your websites with SSL certificates. SSL certificate will also help you rank higher in the search engine ranking positions. If you are using Apache on Ubuntu, you can follow our guide for Securing Apache server with Let’s Encrypt.
Let us know if you need help with Let’s Encrypt Certbot in the comment section given below. Or contact the support department if you are already a customer of InterServer.