How to Secure Nginx with Let’s Encrypt on Ubuntu?
Let’s Encrypt is a Certificate Authority (CA) that provides a free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. The process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
The following steps describe how to configure Let’s Encrypt SSL for Nginx
We need to ensure proper DNS records are setup for the server so that automatic installation can obtain the SSL. An A record with velaninfo.com & www.velaninfo.com pointed to our server’s public IP address.
Install the Certbot software on the server to use Let’s Encrypt to obtain the SSL certificate
The next step is to add the repo using the following command
$ sudo add-apt-repository ppa:certbot/certbot
Install Certbot’sNginx package
$ sudo apt install python-certbot-nginx
The next step is to confirm Nginx is properly configured so that the SSL is installed automatically.
$ sudonano /etc/nginx/sites-available/velaninfo.com
server_name velaninfo.com.com www.velaninfo.com;
If the above entry exist, exit your editor and move on to the next step.
Verify the syntax of your configuration edits:
$ sudonginx –t
Reopen the server block file and check for any typos or missing characters if you see an error. Reload Nginx to load the new configuration
$ sudosystemctl reload nginx
Certbot can now find the correct server block and update it.
If you have ufw enabled in your server please follow below steps to allow https request from external network.
$ sudoufw status
To Action From
— —— —-
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Please execute below commands to allow Nginx https traffic through ufw.
$ sudoufw allow ‘Nginx Full’
$ sudoufw delete allow ‘Nginx HTTP’
The Nginx plugin will take care of reconfiguring Nginx and reloading the configuration whenever necessary. To use this plugin, type the following:
$ sudocertbot –nginx -d velaninfo.com -d www.velaninfo.com
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you’re confident your site works on HTTPS. You can undo thischange by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):
– Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/velaninfo.com/fullchain.pem
Your key file has been saved at:
Your cert will expire on 2018-07-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now.
This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The Certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration. The SSL certificate is valid for 90 days.
you can do a dry run with Certbot to test the renewal process
$ sudocertbot renew –dry-run
If you see no errors, you’re all set.
At Velan, our server support engineers can help you securing Nginx with Let’s Encrypt SSL. We troubleshoot problems like these for our clients every day. If you are interested in our service, please fill the Quick connect form to get in touch with us