Introduction
Let's Encrypt is a Certificate Authority (CA) that provides a way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies this process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate on Apache and Nginx is fully automated.
In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 18.04 and set your certificate to auto-renew.
Prerequisites
- An Ubuntu 18.04 server was set up by following this initial server setup for Ubuntu 18.04, including a non-root sudo user and a firewall.
- A fully registered domain name This tutorial will use your_domain throughout. You can buy a domain name at Namecheap, get a domain name for free at Freenom, or use a domain registrar of your choice.
- Both of the following DNS records are set up for your server. For more details on how to add them, you can follow this introduction to DigitalOcean DNS.
- A record with your_domain pointing to the public IP address of your server.
- A record with www.your_domain pointing to the public IP address of your server.
- Nginx is installed by following how to install Nginx on Ubuntu 18.04. Make sure you have a server block for your domain. Again, this tutorial uses /etc/nginx/sites-available/your_domain as an example.
Step 1 – Install Certbot
The first step to using Let's Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
The Certbot project recommends that most users install software via snap, a package manager originally developed by Canonical (the company behind Ubuntu) and now available in many Linux distributions:
sudo snap install --classic certbotYour output will show the current version of Certbot and a successful installation:
Output
certbot 1.21.0 from Certbot Project (certbot-eff✓) installedNext, create a symbolic link to the newly installed executable /snap/bin/certbot from the /usr/bin/ folder. This ensures that the certbot command can be run properly on your server. To do this, run the following ln command. It includes the -s flag, which creates a symbolic or soft link, as opposed to a hard link:
sudo ln -s /snap/bin/certbot /usr/bin/certbotCertbot is now ready to use, but before it can configure SSL for Nginx, you need to verify some Nginx settings.
Step 2 – Verify Nginx Configuration
Certbot needs to be able to find the correct server block in your Nginx configuration so that it can automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain for which you are requesting a certificate.
If you follow the recommended server block setup step in the Nginx installation tutorial, you will have a server block for your domain in /etc/nginx/sites-available/your_domain with the server_name directive already set up appropriately.
To check, open your domain's server block file using nano or your favorite text editor:
sudo nano /etc/nginx/sites-available/your_domainFind the existing server_name line. It should look like this:
...
server_name your_domain www.your_domain;
...If so, exit your editor and move on to the next step.
If it doesn't, update it to match. Then save the file and exit your editor. If you're using nano, you can do this by pressing CTRL + X then Y and ENTER.
Now verify the syntax of your configuration edits:
sudo nginx -tIf you get an error, reopen the server block file and check for typos or missing characters. Once the syntax of your configuration file is correct, reload Nginx to load the new configuration:
sudo systemctl reload nginxCertbot can now find the correct server block and update it.
Next, you update the firewall to allow HTTPS traffic.
Step 3 – Allow HTTPS through the firewall
If you have enabled the ufw firewall, as recommended by the prerequisite guides, you will need to adjust the settings to allow HTTPS traffic. Fortunately, Nginx registers a few profiles with ufw upon installation.
You can check the current settings by running the following:
sudo ufw statusYou should get output like the following, indicating that only HTTP traffic is allowed to the web server:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)To allow additional HTTPS traffic, grant full Nginx profile permission and remove the additional Nginx HTTP permission:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'Now when you run the ufw status command, it will reflect these new rules:
sudo ufw statusOutput
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)Next, you will run Certbot and obtain your certificates.
Step 4 – Obtain an SSL Certificate
Certbot offers several ways to obtain SSL certificates through plugins. The Nginx plugin will reconfigure Nginx and reload the configuration if necessary. To use this plugin, run the following:
sudo certbot --nginx -d your_domain -d your_domain
This runs certbot with the –nginx extension and uses -d to specify the names for which you want the certificate to be valid.
If this is your first time running certbot, you will be asked to enter an email address and agree to the terms of service. Once you do this, certbot will contact the Let's Encrypt server to request a certificate for your domain. If successful, you will receive the following output:
Output
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2022-01-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for your_domain to /etc/nginx/sites-enabled/your_domain
Successfully deployed certificate for www.your_domain to /etc/nginx/sites-enabled/your_domain
Congratulations! You have successfully enabled HTTPS on https://your_domain and https://www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Your certificates will be downloaded, installed, and loaded. Try reloading your website using https:// and pay attention to your browser's security indicator. It should show that the site is properly secured, usually with a green lock icon. If you test your server using SSL Labs' server test, it will get an A score.
Now that you have received your SSL certificate, the final step is to test the renewal process.
Step 5 – Certbot Auto-Renewal Verification
Let's Encrypt certificates are only valid for ninety days. This is to encourage users to automate the certificate renewal process. The certbot package you installed takes care of this by adding a renewal script to /etc/cron.d. This script runs twice a day and automatically renews any certificate that is within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-runIf you don't get an error, you're all set. If necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automatic renewal process fails, Let's Encrypt will send a message to the email you specified, alerting you when your certificate is about to expire.
Result
In this tutorial, you installed the Let's Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have more questions about using Certbot, their documentation is a good place to start.
