How to Secure Your Nginx Website Using Let’s Encrypt on Ubuntu

Here is how you can secure your Nginx website using Let’s Encrypt Certificate on Ubuntu. In particular on Vultr‘s instance i.e. Ubuntu 18.04 LTS / 20.04 LTS.

Prerequisites

• Have an Ubuntu 18.04 x64 / 20.04 x64 instance.
• Logged in as root with sudo privileges.
• Installed Nginx
• A fully registered domain name. We use yourdomain.com throughout. You can purchase a domain name on Namecheap, or use the domain registrar of your choice.

Both of the following DNS records set up for your server. i.e.

• An A record with yourdomain.com pointing to your server’s public IP address.
• An A record with www.yourdomain.com pointing to your server’s public IP address.

Step 1: Install Certbot

Certbot is an automated SSL installer that Let’s Encrypt uses so we are going to install that. So write the following command.

sudo apt install certbot python3-certbot-nginx

You can verify the Certbot by using the following command

certbot --version

Step 2: Confirming Nginx’s Configuration

You should have a server block for your domain i.e. yourdomain.com in Nginx at /etc/nginx/sites-available/yourdomain.com with the server_name directive already set appropriately.

To check, open the server block file for your domain using nano text editor with the following command:

sudo nano /etc/nginx/sites-available/yourdomain.com

Find the existing server_name line. It should look like this:

...
server_name yourdomain.com www.yourdomain.com;
...

If it does, exit your editor and obtain an SSL certificate and get Certbort to do all the configuration by itself for Nginx.

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -m [email protected] --agree-tos --no-eff-email

This runs Certbot with the --nginx plugin, using -d to specify the names we’d like the certificate to be valid for.

If this is your first time running, you will be prompted to enter an email address and agree to the terms of service. After doing so, Certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, Certbot will ask how you’d like to configure your HTTPS settings.

OutputPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. -------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. Certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Step 3 — Auto-Renewal Let’s Encrypt Certificate

Let’s Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The Certbot we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

You can see this cronjob in /etc/cron.d/certbot file:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

To test the renewal process, you can do a dry run with Certbot:

sudo certbot renew - dry-run

Conclusion

Now you have learned how to secure your Nginx website using Let’s Encrypt on Ubuntu.

If you have a question or facing any problems, feel free to leave a comment.