Secure Nginx HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04

Let’s Encrypt is a free and open source certificate authority (CA) developed by the Internet Security Research Group (ISRG)… It is supported by many big organizations, including Google, Microsoft and a few others.

If you’d like a free SSL/TLS certificate secure your website traffic over HTTPS, then you’re on the right page…The steps below will help you obtain and configure Let’s Encrypt free SSL certificates on Nginx HTTP server..

With this settings, you can then use HTTPS protocol to secure your domain and website traffic..

This brief tutorial shows students and new users how to get Nginx HTTP server working with Let’s Encrypt CA on Ubuntu 16.04 | 18.04 LTS servers..

When you’re ready, follow the steps below:

Step 0: Get your Domain Name

Let’s Encrypt works with valid domain and a working server that the domain is pointing to… This setup assumes that your domain name is called example.com and is pointing to your server with IP address 192.168.1.2

Don’t forget to also make sure www CNAME is pointing to the domain name…. Should look like something below:

example.com        A       ==========>    192.168.1.2
www               CNAME    ==========>    example.com

Step 1: Install Nginx HTTP Server

Now that you have a valid domain and pointing to the correct server IP address continue below to setting up Let’s Encrypt….

First install Nginx server… To do that, run the commands below:

sudo apt update
sudo apt install nginx

After installing Nginx, the commands below can be used to stop, start and enable Nginx service to always start up with the server boots.

sudo systemctl stop nginx.service
sudo systemctl start nginx.service
sudo systemctl enable nginx.service

To test Nginx setup, open your browser and browse to the server hostname or IP address and you should see Nginx default test page as shown below….

When you see that, then Nginx is working as expected..

http://localhost

nginx default home page test

Step 2: Configure Nginx with Your Domain

Now that Nginx is installed, go and configure it with your domain so that when users type your domain name, Nginx server should respond…

To do that, create a basic HTML file in Nginx root directory with a sample content below:

sudo mkdir /var/www/html/example.com

Then inside the example.com folder, create a file with the content below:

sudo nano /var/www/html/example.com/index.html

Copy the content below into the file and save..

<!DOCTYPE html>
<html>
  <head>
    <title>Example.com Test Page</title>
  </head>
      <body>
         <p>Success! Example.com is working</p>
      </body>
</html>

save the file and exit.

Next, run the commands below to give Nginx user access to the directory…

sudo chown -R www-data: /var/www/html/example.com

When you’re done, create Nginx server block for the example.com domain… To do that, run the commands below to create a new configuration file for example.com domain…

sudo nano /etc/nginx/sites-available/example.com

Then copy and save the content below into the file and save..

server {
    listen 80;
    listen [::]:80;
    
    server_name example.com www.example.com;
    root /var/www/html/example.com/index.html;
    index index.html;

    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save the file and exit

Now the the example.com configuration file is created, run the commands below to enable it…

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

The site should now be enabled and ready to use…

Step 3: Install and Configure Let’s Encrypt

Now that our Nginx site is enabled and ready to use, run the commands below to install and configure Let’s Encrypt to secure the Nginx website…

First install Certbot… Certbot is a fully featured and easy to use tool that can automate the tasks for obtaining and renewing Let’s Encrypt SSL certificates…

To install it, run the commands below:

sudo apt install certbot

After installing Certbot, create a file to for Let’s Encrypt to the Webroot plugin to validate our domain in the ${webroot-path}/.well-known/acme-challenge directory….

To do that, create the directory and give Nginx access to it…

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Next, create a well-known challenge file with the configurations below…

sudo nano /etc/nginx/snippets/well-known.conf

Then copy and paste the content below into the file and save…

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

Save the file and exit

Step 4: Obtain Your Free Certificate

At this point, your domain should be pointing to your server IP… Nginx HTTP server installed and configured and Certbot installed ready to obtain your certificate…

Before requesting your free certifidate, open your example.com  Nginx configuration file created above….

sudo nano /etc/nginx/sites-available/example.com

When the file opens, add the highlighted line below into the file and save…

server {
    listen 80;
    listen [::]:80;
    
    server_name example.com www.example.com;
    root /var/www/html/example.com/index.html;
    index index.html;

    include snippets/well-known.conf;

    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save the file and exit

Restart Nginx HTTP server…

sudo nginx -t
sudo systemctl restart nginx

At this point all is set and you’re ready to obtain your certificate… To do that run the commands below:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

Let’s Encrypt should connect validate your domain and server, then install the domain certificate… If everything is successful, you should see a similar message as below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this point you have a certificate, now go and add it to Nginx configuration for example.com domain…

First, let’s generate a Diffie–Hellman key exchange (DH) certificate to securely exchange cryptographic keys… To do that, run the commands below to generate a certificate with 2048 bit…

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Next, open your example.com config file and make it so that it looks similar to the one below:

sudo nano /etc/nginx/sites-available/example.com

Configure your file to look similar to the one below

server {
    listen 80;
    
    server_name www.example.com example.com;
    return 301 https://$host$request_uri;
    include snippets/well-known.conf;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    server_name example.com www.example.com;
    root /var/www/html/example.com;
    index index.html;

    if ($host != "example.com") {
           return 301 https://example.com$request_uri;
       }

    include snippets/well-known.conf;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
    sl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 30s;
    
    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save your changes above and restart Nginx for the settings above to take effect..

sudo systemctl restart nginx

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring

To test the renewal process, you can use the certbot –dry-run switch:

sudo certbot renew --dry-run

That’s it! Congratulations! You have successfully configure Nginx for Let’s Encrypt free SSL/TLS on Ubuntu 16.04 | 18.04

You may also like the post below:

How to Setup Magento with Nginx and Cloudflare CDN / SSL on Ubuntu 16.04 / 18.04

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.