Setup LetsEncrypt SSL/TLS Certificates for Nginx on Ubuntu 17.04 | 17.10

This post shows new users and students how to easily obtain free LetsEncrypt SSL/TLS certificates for Nginx using Ubuntu 17.04 | 17.10 servers. When you setup LetsEncrypt free certificates for your websites and blogs, all web traffic to your server will travel over HTTPS.

For those who don’t know about LetsEncrypt, it’s an opensource initiative to provide free SSL/TLS certificate to anyone wanting to enable encrypted communication. It works like other paid certificate authority (CA).

With LetsEncrypt, you’ll never have to pay for SSL/TLS certificate again as long as your continue to renew the certificates.


This post assumes that you already have Ubuntu with Nginx webserver installed. If not, search this blog to find tutorials on installing Ubuntu and Nginx.

Or run the commands below to install Nginx

sudo apt-get install nginx

After installing Nginx, the commands below can be used to stop, start and enable Nginx service to always startup when the server boots.

sudo systemctl stop nginx.service
sudo systemctl start nginx.service
sudo systemctl enable nginx.service

Continue below to obtain LetEncrypt certificates


On Ubuntu systems, simply run the commands below to get LetsEncrypt package. The package can then be used to obtain certificates for your domains.

sudo apt-get install certbot

After running the commands above, your system should be ready to obtain certificates. But before you run the commands to obtain certificates, verify that the your domain name is setup in nginx.


To obtain LetsEncrypt SSL/TLS certificates, run the commands to open Nginx configuration file and add the domain names directives.

sudo nano /etc/nginx/sites-available/default

Then verify that this line is included


You may also want to add this block of code in the file and save it.

location ~ /.well-known {
                allow all;

After verifying that information, run the commands below to obtain your free certificates.

sudo certbot certonly -m -a webroot --webroot-path=/var/www/html -d -d

Replacing and with your domain name.

When you run the commands above, you must accept the terms.. Type A to accept.

Please read the Terms of Service at You must agree
in order to register with the ACME server at
(A)gree/(C)ancel: A

You may also want to share your email with the Electronic Frontier Foundation..

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: Y

Now all you do is sit back and relax.. LetsEncrypt will install a valid SSL/TLS certificate on your machine. When the process is done, you should see a message that looks like the one below.

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

All you have to do now is to enable Nginx to use the certificate.

Step 4: Setup Nginx to use the Certificates

After obtaining your free certificates, you must configure Nginx to use them.. Run the commands below to open Nginx default site configuration file.

sudo nano /etc/nginx/sites-available/default

Then include the highlighted lines below in the file and make the following changes and save the file.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$server_name$request_uri;
server {
        #listen 80 default_server;
        #listen [::]:80 default_server;
        # SSL configuration
         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver valid=300s;
        resolver_timeout 5s;
        # Note: You should disable gzip for SSL traffic.
        # See:
        root /var/www/html;
        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        location ~ /.well-known {
                allow all;

Save the file and you’re done.

Check Nginx setting by running the commands below:

sudo nginx -t

If the results come back as successful, then you’re good.

Restart Nginx and you’re done.

To get setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring


This post shows students and new users an easy way to obtain free LetsEncrypt SSL/TLS certificate for Nginx webserver on Ubuntu 17.04 /17.10 servers. When you follow the steps above, in not time you’ll be running your nginx powered website over HTTPS.


You may also like the post below:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.