Secure Nginx with Let's Encrypt on Ubuntu 18.04 - How to do it ?

Let's Encrypt is a free and open Certificate Authority (CA). It provides a simple way to obtain, install and renew free TLS/SSL certificates. 

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Nginx queries.

In this context, we shall look into how to obtain and install free Let’s Encrypt SSL certificate and Secure Nginx on Ubuntu 18.04 server.

How to Install Let's Encrypt on Ubuntu ?

Before performing this Installation Procedure, ensure that the following requirements are met:

• Ubuntu server with a non-root user with sudo privileges.
• Nginx must installed and configured, as shown in this Guide.
• Have a Nginx server block for your domain, as shown in this Guide.
• Your domain name should pointing to your server IP address.

Now, follow the steps to use Certbot tool to obtain a free SSL certificate for Nginx on Ubuntu 18.04 server.

1. Install Certbot Client

You can easily obtain, install and renew Let's Encrypt SSL certificates, using Certbot client package. It is useful to configure web servers to use the SSL certificates. The certbot package is included in the default Ubuntu repositories.

First of all, we will update the packages list index by typing:

$ sudo apt update

Now install Certbot client by executing below command:

$ sudo apt install python-certbot-nginx

Also, you can verify that certbot is installed successfully or not by typing:

$ certbot --version

2. Configure Firewall

If your server is protected by UFW firewall then you need to adjust firewall to allow HHTPS traffic.

To see the current settings by type:

$ sudo ufw status

Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To get HTTPS traffic, you need to allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

Now status will look like as below:

Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

3. Get Let's Encrypt SSL Certificate on Nginx

You can obtain SSL certificates with multiple ways.

i. Here, we will use certbot client to obtain a SSL certificate:

$ sudo certbot --nginx -d example.com -d www.example.com

Here, we are requesting for example.com and www.example.com domains. If this is first time to install then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

Next, If validation got success it will ask you to configure HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

ii. Select option 1 or 2 as per your choice and hit Enter to continue. Nginx Server Blocks will update based on your selected option and it will reload Nginx to take new settings effect.

Finally, your domain is secured with Let's Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.

How to set Auto Renew  for Let's Encrypt SSL certificate ?

Let's Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire.

i. You can renew SSL certificate before it get expired by typing:

$ sudo certbot renew

ii. In addition, you can setup auto renew process for Let’s Encrypt SSL certificates by adding a cronjob. Execute below command to open crontab:

$ sudo crontab -e

iii. Next, add the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

iv. Save and close the file.

v. You also can verify certbot auto-renewal process by typing:

$ sudo certbot renew --dry-run

[Need assistance in fixing Nginx errors? We can help you. ]