Let’s Encrypt is a (Certificate Authority) providing SSL/TLS certificates. These certificates provide a secure encryption between the data and the browser. Certbot is a software client that automates the tasks of obtaining certificates and configuring web servers to use them. Currently, the process is fully automated on Apache and Nginx web servers.
In this guide, we explain the process of securing an SSL certificate for your Nginx on Ubuntu 20.04 by installing Certbot.
Before that there are prerequisites to consider for a hassle-free configuration.
Prerequisites
- Ubuntu 20.04 server. It must include sudo-enabled non-root users and a firewall.
- Registered domain name. If not done yet, MilesWeb provides the relevant domains like .com, .net, .in and many more.
- Set up both the DNS records for your server.
- There should be an DNS “A” record with the site example.com pointing to your server’s public IP address.
- A record pointing to the public IP address of your server with www.example.com.
- Get Nginx installed and a server block for your domain.
Steps to Secure Nginx with Let’s Encrypt on Ubuntu 20.04
1. Installing Certbot
Obtaining an SSL certificate with Let’s Encrypt requires installing the Certbot software on the server.
With the Nginx plugin for Certbot, users can install it as follows:
sudo apt install certbot python3-certbot-nginx
Certbot is now ready for use, but we need to verify some Nginx configurations before it automatically configures SSL for Nginx.
2. Confirming Nginx’s Configuration
For Certbot to be able to automatically configure SSL, it needs to be able to locate the correct server block in Nginx configuration. This works by searching for a ‘server_name’ directive that corresponds to the domain for which you are requesting a certificate.
You should already have a server block for the domain at /etc/nginx/sites-available/example.com with the server_name directive set appropriately if followed the Nginx installation tutorial.
In nano or any text editor, open the configuration file for the domain:
sudo nano /etc/nginx/sites-available/example.com
Check to see if there is a server_name line already present. The format should be as follows:
server_name example.com www.example.com; ...
Continue to the next step if it does.
Update it if it doesn’t. Verify the syntax of its configuration edits after saving the file, quitting the editor:
sudo nginx –t
If users experience any error, reopen the server block file to evaluate any typos. Remove errors and keep the right syntax. Then, reload Nginx to deploy the new configuration through the following command.
sudo systemctl reload nginx
Certbot easily find and update the correct server block
Next, allow HTTPS traffic to update the firewall settings.
3. Allowing HTTPS Through the Firewall
Next, users will have to adjust settings to allow HTTPS traffic. Before that, ensure the ufw firewall is enabled. It is recommended as the major prerequisite for a hassle-free installation process. When Nginx is installed, it automatically registers a few profiles with ufw.
Check out the current setting by entering the following command in the terminal.
sudo ufw status
Here are the output users get while allowing HTTP traffic to the web server.
Output
Status: active
To Action From
— —— —-
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
In order to allow HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Enter this command to get final status.
sudo ufw status
The final output.
Status: active
To Action From
— —— —-
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Next, fetch SSL certificates by running Certbot.
4. Get an SSL Certificate
Certbot has several plugins from which users can obtain SSL certificates. Nginx plugin helps in reconfiguring Nginx and reloading the config when required. Enter the following command to enable the plugin.
sudo certbot --nginx -d example.com -d www.example.com
By using -d, we specify the domain names for which the certificate should be valid when we run certbot with the –nginx plugin.
Your first time using certbot will require you to enter your email address and agree to the terms of service. Certbot will then communicate with the Let’s Encrypt server, and run a challenge to verify that you control the domain you’re requesting a certificate for.
You’ll be prompted to configure your HTTPS settings if that’s successful.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):
Hit ENTER after selecting your choice. Latest configurations will get updated and Nginx will reload with new settings.
Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. Then, Certbot gives a closure message showing the installation process successful.
Output
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Great, your certificates are downloaded and loaded. Reload the website using https:// and check the browser’s security indicator. Ensure websites have the lock icon. But your job is not done yet. Let’s Encrypt certificates are valid till 90 days only. Hence, completing the renewal process is mandatory.
5. Auto Renewal of Certificates
Certbot encourages users to automate their certificate renewal process. Use certbot to do a dry run of the renewal process.
sudo certbot renew --dry-run
All you need to do is check for errors. Whenever necessary, Certbot will renew your certificates and reload Nginx. Let’s Encrypt will send you an email warning users when their certificate expires if the automated renewal process ever fails.
In this guide, readers successfully learnt to set up the Let’s Encrypt certbot client, acquiring SSL certificates for their domain, adjusted Nginx settings to utilize these certificates, and arranged for automatic certificate renewals. For further information, kindly connect with our technical engineers.
