Logo

How to Secure NGINX with Let’s Encrypt on Ubuntu 22.04

Try this guide with our instant dedicated server for as low as 40 Euros

Nginx

In the current era website security is no more a luxury – it’s a basic operational necessity.

Any website that wishes to offer quality services must encrypt its domain with SSL/TLS. These SSL/TLS certificates guarantee a secure connection between your web server and browsers.

However, setting up encryption has been generally expensive and complex.

Let’s Encrypt, a groundbreaking free Certificate Authority (CA) allows you to set up SSL/TLS certificates and set up encryption for your NGINX server.

In this tutorial, we will discuss Let’s Encrypt and how to secure a NGINX server with a Let’s Encrypt certificate.

Let’s start with an overview of Let’s Encrypt.

Table of Contents

  1. What is Let’s Encrypt?
  2. Key Features Of Let’s Encrypt
    1. Free SSL/TLS Certificates
    2. Automatic and Easy Setup
    3. Increased Security
    4. User-Friendly
  3. The Prerequisites to Secure NGINX with Let’s Encrypt
  4. How to Secure NGINX with Let’s Encrypt On Ubuntu
    1. Step #1: Install Certbot
    2. Step #2: Check NGINX Configuration
    3. Step #3: Adjust Firewall to Allow HTTPS Traffic
    4. Step #4: Obtain the SSL/TLS Certificate
    5. Step #5: Enable Automatic Certificate Renewal
  5. Conclusion
  6. FAQs

What is Let’s Encrypt?

Let’s Encrypt is a non-profit certificate authority (CA) that provides free X.509 certificates for Transport Layer Security (TLS) encryption.

Unlike traditional certificate authorities, Let’s Encrypt offers certificates for free and automates the process of obtaining, renewing, and managing them. It simplifies the deployment of HTTPS, especially for small website owners and organizations with limited resources.

Key Features Of Let’s Encrypt

Let’s Encrypt is a well-known Certificate Authority that issues certificates cross-signed by IdentTrust, which allows their end certificates to be accepted by all major browsers.

Some of the key features that differentiate these certificates are:

Free SSL/TLS Certificates

Let’s Encrypt offers SSL/TLS certificates at no cost, making web security accessible to everyone, from small personal blogs to large enterprises.

Automatic and Easy Setup

The process of obtaining, installing, and renewing certificates is automated. This reduces most of the manual effort required for setting up SSL certificates. Tools like Certbot facilitate this automation, making it easier for users to secure their websites.

Increased Security

SSL/TLS certificates provided by Let’s Encrypt ensure that the data exchanged between the web server and the user’s browser is encrypted, protecting it from interception and tampering.

User-Friendly

Designed to be easy to use, Let’s Encrypt, along with tools like Certbot, simplifies the process of setting up HTTPS on popular web servers such as NGINX and Apache.

Now that you have a basic understanding of Let’s Encrypt, let us see how to secure NGINX with Let’s Encrypt. However, before that, let us take a quick look at the prerequisites.

The Prerequisites to Secure NGINX with Let’s Encrypt

Before diving into securing NGINX, ensure you have the following:

  • A system running Ubuntu 20.04 or 22.04
  • A user account with sudo or administrative privilege.
  • Access to the terminal/command line.
  • You have NGINX installed and configured on the Ubuntu machine
  • A registered domain name
  • A server block configured for that domain name

How to Secure NGINX with Let’s Encrypt On Ubuntu

Securing your NGINX server with SSL/TLS certificates is essential for protecting user data and ensuring secure communication. Let’s Encrypt provides a simple and free way to obtain these certificates.

Follow these steps to secure your NGINX server with Let’s Encrypt certificates.

Step #1: Install Certbot

Certbot is a free software tool that helps users set up HTTPS using Let’s Encrypt certificates.

Before installing Certbot, refresh your system’s local package index to ensure access to the latest version of installed packages and software.

Start by executing the following command to update the system package repository:

# sudo apt update

Next, download and install Certbot and its NGINX plugin.

# sudo apt install certbot python3-certbot-nginx

Enter Y to confirm installation and press Enter.

Certbot is now ready to use, but for it to automatically configure SSL for NGINX, we need to verify some of NGINX’s configuration.

Step #2: Check NGINX Configuration

For Certbot to automatically configure SSL, it must be able to find the right server block in your NGINX configuration.

This is done by looking for a server_name directive matching the domain for which the certificate is requested.

As we have mentioned in the prerequisite section, ensure you have an NGINX server block configured for your domain and a registered domain. Here, we use the NGINX server block configured for the domain /etc/nginx/sites-available/example.com.

You can check whether it is set up correctly by opening the NGINX configuration file in your preferred text editor. We recommend using Vim or Nano (In this tutorial, we are usingNano).

# sudo nano /etc/nginx/sites-available/example.com

Next, verify the server_name directive matches the domain name, with and without the www prefix. The existing server_name line is similar to the following line:

server_name example.com www.example.com;

Save the changes and exit the editor.

Next, restart the NGINX service with the following command to apply the changes.

# sudo systemctl reload nginx

Note: If you encounter an error, reopen the server block file and check for any typos or missing characters.

Step #3: Adjust Firewall to Allow HTTPS Traffic

Once you have made changes in the NGINX configuration, you can now adjust the firewall settings for Let’s Encrypt certificates to permit encrypted traffic.

To ensure the ufw firewall is enabled, check the UFW status by executing the following command.

# sudo ufw status

If the output displays active and a set list of rules, you are ready to modify the firewall. You can see that Nginx HTTP traffic is allowed across the firewall, but HTTPS is not.

Step #3 Adjust Firewall to Allow HTTPS Traffic

You should make sure that you add the following three rules to allow HTTPS traffic.

  • Nginx HTTP (allows traffic on port 80)
  • Nginx HTTPS (allows encrypted traffic on port 443)
  • Nginx Full (allows traffic on both port 80 and port 443)

You can opt for one of the following methods to allow HTTPS traffic:

  • Add the Nginx HTTPS profile
  • Use Nginx Full

Add the Nginx HTTPS profile

To allow the Nginx HTTPS traffic, execute the following command:

# sudo ufw allow 'Nginx HTTPS'

Add the Nginx HTTPS profile

Use Nginx Full

You can replace Nginx HTTP with Nginx Full to allow HTTPS traffic. For this, run the following commands:

# sudo ufw deny 'Nginx HTTP'

# sudo ufw allow 'Nginx Full'

Use Nginx Full

Once you have modified the UFW rules, check the status to verify that the firewall rules have been modified.

# ufw status

verify that the firewall rules have been modified

Step #4: Obtain the SSL/TLS Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. Certbot’s NGINX plugin handles NGINX’s configuration changes and reloads it as required.

To generate certificates using the NGINX plugin, execute the command:

# sudo certbot --nginx -d example.com -d www.example.com

You will now be prompted to enter the email address and accept the terms of service.

Once the configuration is updated, NGINX will reload to make the changes into effect.

Certbot displays a message confirming the successful generation of the certificate, along with its location.

Step #5: Enable Automatic Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. Therefore, users need to automate their certificate renewal process.

To automate the renewal process, follow these steps.

Access the current user’s crontab configuration file.

# crontab -e

Add a cron job that runs the certbot command. It renews the certificate if the certificate is about to expire in 30 days.

Set it to run daily at a specified time (in this case, 5:00 a.m.).

# 0 5 * * * /usr/bin/certbot renew --quiet

Here,

–quiet: Prevents unnecessary output after successful renewal.

Step #5: Enable Automatic Certificate Renewal

Save the modifications and exit the file

Conclusion

Using Let’s Encrypt SSL with NGINX on Ubuntu 22.04 is a straightforward process that helps secure your website and protect your visitors’ data.

By following the steps outlined in this guide, you can easily set up HTTPS encryption for your NGINX server, ensuring a safe and trustworthy browsing experience for your users.

FAQs

Q. How do I update DNS records for Let’s Encrypt?

Ensure your domain’s DNS records point to your server’s public IP address. This is essential for the verification process.

Q. How do I check the status of the Let’s Encrypt service?

You can check the status using the command systemctl status nginx and systemctl status certbot to ensure both Nginx and Certbot are running properly.

Q. What is the process for renewing a Let’s Encrypt certificate?

Certificates can be renewed using the command certbot renew. This should be automated using a cron job for regular renewals.

Q. Which domain registrars support Let’s Encrypt SSL?

All major domain registrars support Let’s Encrypt. Ensure your registrar allows DNS record modifications.

Q. How do I find my server’s public IP address?

Use curl ifconfig.me or check your cloud provider’s dashboard to find your server’s public IP address.

Q. Where are the Let’s Encrypt key files stored?

Key files are typically stored in /etc/letsencrypt/live/yourdomain/ directory.

Q. How do I configure the Nginx server configuration file for SSL?

Update your Nginx configuration file (/etc/nginx/sites-available/yourdomain) to include SSL directives pointing to your Let’s Encrypt certificate and key files.

Q. What tools can I use for certificate management with Let’s Encrypt?

Use Certbot for managing certificates, including issuance, renewal, and revocation.

Q. How do I know if my server certificate is close to expiration?

Check your certificate’s expiration date with sudo certbot certificates and set up alerts to notify you before it expires.

Q. How can I automate the renewal process before the certificate expires?

Use a cron job to automate the renewal process by adding 0 0,12 * * * root certbot renew –quiet to your crontab. This runs the renewal twice a day.

Try this guide with our instant dedicated server for as low as 40 Euros