Install Nginx HTTP Server with Let’s Encrypt Free SSL Certificates on Ubuntu 16.04 / 18.10 / 18.10

If you’re student or a new user who want to setup Nginx HTTP server with Let’s Encrypt free SSL certificate, the steps below should be a great place to start….

Let’s Encrypt is Certificate Authority (CA) that provides free SSL/TLS certificates to anyone who owns a valid domain or website… This brief tutorial shows students and new users how configure Nginx VirtualHost file to use the free certificates provided by Let’s Encrypt CA.

Let’s Encrypt also provide a tool that automate this process on Linux systems. With the client, it’s easy to obtain, renew and manage the certificates. This process has gotten to good that the entire process can be automated with Nginx webserver….

To setup Nginx websites to use Let’s Encrypt free SSL/TLS certificates, follow the steps below:

Step 1: Prerequisites

Before installing and configuring Let’s Encrypt free SSL certificates, please make sure your DNS settings are good and your domain is reachable to your server via IP and domain name…. You may also want to enter these records in your DNS panel for good measures..

Make sure your domain is pointing to your server IP address in the DNS panel…

example.com  points to  your server IP address   

Create a CAA record which allows Let’s Encrypt to issue certificate for your domain name… to do that, add the records as shown below:

example.com. IN CAA 0 issue "letsencrypt.org"

You can also use iodef to make Let’s Encrypt report malicious certificate issue request to the contact address below….

example.com. IN CAA 0 iodef "mailto:admin@example.com"

Step 2: Setup Nginx Virtual Host

Now that your domain is setup and ready… go and configure Nginx HTTP server to allow Let’s Encrypt tool to configure the certificates…

If you haven’t installed Nginx, the commands below can do that for you…

sudo apt update
sudo apt install nginx

After installing Nginx, create a virtual host for your website configurations and make sure it contains the domain names you want to obtain the free SSL/TLS certificates for.

sudo nano /etc/nginx/sites-available/example.com.conf

Then the file should have a highlighted line defining your domain name.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html/example.com;
    index  index.php index.html index.htm;
    server_name  example.com www.example.com;

     client_max_body_size 100M;

    location / {
        try_files $uri $uri/ /index.php?$args;        
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Save the file and close out.

Step 3: Install Let’s Encrypt Nginx Client

To get Let’s Encrypt free SSL/TLS certificates on your Ubuntu machine, you should first install it’s client. The client helps automate the process for you. To install it, run the commands below.

sudo apt-get install python-certbot-nginx

If python-certbot-nginx isn’t already installed, you may have to add its PPA repository and install the package..

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

After that run the commands below to obtain your free Let’s Encrypt SSL/TLS certificate for your site.

sudo certbot --nginx --agree-tos --email admin@example.com --redirect --hsts -d example.com -d www.example.com

The commands options above are explained below:

  • –nginx: Use the Nginx Let’s Encrypt installer
  • –agree-tos: Agree to Let’s Encrypt terms of service
  • –redirect: Adds 301 redirect.
  • –email: Contact email address.
  • –hsts: Adds the Strict-Transport-Security header to every HTTP response.
  • – d flag is followed by domains you want to secure.

After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS.

Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The highlighted code block should be added to your Nginx site configuration file automatically by Let’s Encrypt certbot. Your site is ready to be used over HTTPS.

server {
    listen 80;
    listen [::]:80;
    root /var/www/html/example.com;
    index  index.php index.html index.htm;
    server_name  example.com www.example.com;

     client_max_body_size 100M;

    location / {
        try_files $uri $uri/ /index.php?$args;        
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot
}

Your setup is done… however, you’ll always have to manually renew the certificates… You’ll get email reminder to reset when the certificates are about to expire. To test the renewal process run the commands below.

sudo certbot renew --dry-run

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring…

You may also like the post below:

How to Tell Which Versions of Ubuntu You’re Running (Ubuntu 16.04 / 18.04 / 18.10)