Setup Nginx Server Block with Let’s Encrypt on Ubuntu 17.04 | 17.10

Let’s Encrypt is Certificate Authority (CA) that provides free SSL/TLS certificates to anyone who owns a valid domain or website. This brief tutorial shows students and new users how set Nginx server block up to use the free certificates provided by Let’s Encrypt CA.

Let’s Encrypt also provide a tool that automate this process on Linux systems. With the client, it’s easy to obtain, renew and manage the certificates. This process has gotten to good that the entire process can be automated with Apache2 and Nginx webservers.

To setup Nginx websites to use Let’s Encrypt free SSL/TLS certificates, follow the steps below:

Step 1: Setup Nginx Server Block

To enable Let’s Encrypt to automatically install its free SSL/TLS certificates on your Ubuntu server running Nginx, configure the website configuration file with the appropriate domain names you want to apply SSL on.

Open the website configuration file and make sure it contains the domain names you want to obtain the free SSL/TLS certificates for.

sudu nano /etc/nginx/sites-available/yourdomain

Then the file should have a highlighted line defining your domain name.

server {
    listen 80;
    listen [::]:80;
    index  index.php index.html index.htm;


Save the file and close out.

Step 2: Install Let’s Encrypt Client

To get Let’s Encrypt free SSL/TLS certificates on your Ubuntu machine, you should first install it’s client. The client helps automate the process for you. To install it, run the commands below.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Step 3: Obtaining your free Certificates

Now that you’ve install Let’s Encrypt cert client and have configured the Nginx website with the appropriate domain name, continue below to obtain the certificates. To do that, run the commands below

sudo certbot --nginx -d -d

After running the above commands, you should get prompted to enter your email and accept the licensing terms. If everything is checked, the client should automatically install the free SSL/TLS certificate and configure the Nginx site to use the certs.

Please read the Terms of Service at You must
agree in order to register with the ACME server at
(A)gree/(C)ancel: A

Choose Yes ( Y ) to share your email address

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: Y

This is how easy is it to obtain your free SSL/TLS certificate for your Nginx powered website.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Pick option 2 to create a redirect.

After that, the SSL client should install the cert and configure your website to redirect all traffic over HTTPS.

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Finally, restart Nginx.

sudo systemctl restart nginx.service

If everything is configured correctly, you website should be configured and accepting all traffic over HTTPS.

Let’s encrypt should add the below lines at the bottom of your Nginx site config file.

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

You’ll have to manually renew the certificates. You’ll get email reminder to reset when the certificates are about to expire. To test the renewal process run the commands below.

sudo certbot renew --dry-run


You may also like the post below:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.