Setup LetsEncrypt SSL/TLS Certificates for Nginx on Ubuntu 17.04 / 17.10

This post shows new users and students how to easily obtain free LetsEncrypt SSL/TLS certificates for Nginx using Ubuntu 17.04 / 17.10 servers. When you setup LetsEncrypt free certificates for your websites and blogs, all web traffic to your server will travel over HTTPS.

For those who don’t know about LetsEncrypt, it’s an opensource initiative to provide free SSL/TLS certificate to anyone wanting to enable encrypted communication. It works like other paid certificate authority (CA).

With LetsEncrypt, you’ll never have to pay for SSL/TLS certificate again as long as your continue to renew the certificates.

STEP 1: GET UBUNTU / Nginx

This post assumes that you already have Ubuntu with Nginx webserver installed. If not, search this blog to find tutorials on installing Ubuntu and Nginx.

Or run the commands below to install Nginx

sudo apt-get install nginx

After installing Nginx, the commands below can be used to stop, start and enable Nginx service to always startup when the server boots.

sudo systemctl stop nginx.service
sudo systemctl start nginx.service
sudo systemctl enable nginx.service

Continue below to obtain LetEncrypt certificates

STEP 2: INSTALLING LETENCRYPT SSL/TLS MANAGEMENT PACKAGE

On Ubuntu systems, simply run the commands below to get LetsEncrypt package. The package can then be used to obtain certificates for your domains.

sudo apt-get install certbot

After running the commands above, your system should be ready to obtain certificates. But before you run the commands to obtain certificates, verify that the your domain name is setup in nginx.

STEP 3: OBTAINING LETSENCRYPT CERTIFICATES

To obtain LetsEncrypt SSL/TLS certificates, run the commands to open Nginx configuration file and add the domain names directives.

sudo nano /etc/nginx/sites-available/default

Then verify that this line is included

server_name     example.com www.example.com;

You may also want to add this block of code in the file and save it.

location ~ /.well-known {
                allow all;
        }

After verifying that information, run the commands below to obtain your free certificates.

sudo certbot certonly -m admin@example.com -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com

Replacing www.exmaple.com and example.com with your domain name.

When you run the commands above, you must accept the terms.. Type A to accept.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

You may also want to share your email with the Electronic Frontier Foundation..

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Now all you do is sit back and relax.. LetsEncrypt will install a valid SSL/TLS certificate on your machine. When the process is done, you should see a message that looks like the one below.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2017-11-06. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to admin@example.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

All you have to do now is to enable Nginx to use the certificate.

Step 4: Setup Nginx to use the Certificates

After obtaining your free certificates, you must configure Nginx to use them.. Run the commands below to open Nginx default site configuration file.

sudo nano /etc/nginx/sites-available/default

Then include the highlighted lines below in the file and make the following changes and save the file.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
  ##
    server_name example.com www.example.com;
......
.......

Save the file and you’re done.

Check Nginx setting by running the commands below:

sudo nginx -t

If the results come back as successful, then you’re good.

Restart Nginx and you’re done.

To get setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew &> /dev/null

The cron job will attempt to renew 30 days before expiring

Summary:

This post shows students and new users an easy way to obtain free LetsEncrypt SSL/TLS certificate for Nginx webserver on Ubuntu 17.04 /17.10 servers. When you follow the steps above, in not time you’ll be running your nginx powered website over HTTPS.

Enjoy!

You may also like the post below:

Quickly Get LetsEncrypt Certificates for Apache2 on Ubuntu 17.04 /17.10