Let’s Encrypt is a kind of CA (Certificate Authority) which is useful for downloading and installing TLS or SSL certificates. Installing these certificates is required to allow HTTPS to be perfectly encrypted on the web server. By using this CA, we can simplify and speed up HTTPS encryption process because we can use Certbot. Certbot itself is a software that automates almost all of the steps (required in the HTTPS encryption process). With the development of technology then now we can install TLS or SSL certificate automatically on Nginx and Apache.
We recommend Certbot because this software can help you to get the SSL certificate for Nginx in Ubuntu 18.04 for free. You can also set the certificate you get to be automatically updated. We also recommend you to create one Nginx server block file for each domain. By separating the files you can minimize the risk of common mistakes and also keep your default file secure. So…to make it all happens, you need to secure Nginx with Let’s Encrypt on Ubuntu 18.04. But how? Just keep reading on!
Before you get started, make sure you have the following four requirements:
- One Ubuntu server 18.04: This includes a non-root sudo and firewall.
- One domain name: Make sure your domain name is registered. In this article, we use ‘example.com’. If you want to use a domain name for free, Freenom is one of the best sources.
- Nginx: You can find a tutorial on how to install Nginx on Ubuntu 18.04.
- Server block: This is to accommodate your domain.
Steps:
The first step is to install Certbot
Installing Certbot on your server is what you need to do before getting an SSL certificate. Do not take Certbot from Ubuntu because it may have expired. You are advised to take it from the original developer.
Add the repository with:
sudo add-apt-repository ppa: certbot/certbot
To accept, press ‘ENTER‘. After that you can update the package list for the repository (the new one). After updating the package list, you can install Nginx Certbot with apt: sudo apt installs python-certbot-nginx.
Now, configure your Certbot
To be honest, at this point you can use your Certbot but you still need to configure it in SSL so it fits Nginx. Configuration is required so Certbot can find the server block in Nginx. Certbot looks for the right server block by searching for matches between your server_name and your domain you have selected earlier, in this case it is ‘example.com’.
In ‘example.com’ case, you must have server block in /etc/nginx/sites-available/example.com. To make sure everything is on the right track, open the server block file for your domain. You can use this: sudo nano /etc/nginx/sites-available/example.com. If the previous steps are correct then you will find this: /etc/nginx/sites-available/example.com
…
server_name example.com www.example.com;
…
If you find the texts as above, then save the file and exit your editor. Remember that you need to verify each time you change your configuration.
Update the firewall
This third step needs to be done to allow HTTPS traffic. You need to do firewall activation but before doing that, you should make sure your settings allow HTTPS traffic. Type ‘sudo ufw’ status to see your current settings.
If you see the texts as follows:
Output
Status: active
To Action From
– —— —-
OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6), ALLOW Anywhere (v6)
Then your settings only allow HTTP traffic as the only one that leads to your web server. To make HTTPS traffic smoother, you need to allow the full Nginx profile to be displayed. It is advisable for you to get rid of the excessive NTPx HTTP profile allowance.
sudo ufw allows 'Full Nginx' sudo ufw delete allows 'Nginx HTTP'
Your status should now look like this:
status sudo ufw
Output
Status: active
To Action From
- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Now it’s time to get your SSL certificate
If you use Certbot, you have several ways to get your certificate through the plugin. For information, the Nginx reconfiguration will be set by the Nginx Plugin and reload the configuration if you need one. Type as follows:
sudo certbot --nginx -d example.com -d www.example.com
The text above will run your Certbot with the Nginx plugin. You need to enter an email name and agree to the terms of service provided. After going through it all, Certbot will automatically connect to the server’s Let’s Encrypt. You will be prompted for verification of domain ownership verification.
You will find the following options:
- No redirect: If you choose this you do not need to reconfigure it on your web server.
- Redirect: By selecting this you are requesting the redirection of all requests with the purpose of securing HTTPS access.
If you have made your selection, press ‘ENTER’. Certbot will tell you about the success of the configuration process. You will see the following texts:
Output
VITAL RECORDS:
– Congratulations! Your certificates and chains have been saved in:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved in:
/etc/letsencrypt/live/example.com/privkey.pem
Your certificate will expire in 2018-07-23. To get new or tweaked
version of this certificate in the future, just run certbot again
with the “certonly” option. To update non-interactive * all * from
certificate, run command
certbot renew
- Your account credentials have been saved in your Certbot
configuration directory in /etc/letsencrypt. You have to create
secure backup of this folder now. This configuration directory will
also contains certificates and private keys obtained by Certbot
making regular backups of this folder is ideal. - If you like Certbot, consider supporting our work with:
Donate to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donate to EFF: https://eff.org/donate-le
To make sure your certificate has been successfully installed, you can try to reach your website. If you see some sort of green key icon then that means your site has been secured as it should.
And finally we will do the automatic update verification on Certbot
You need to know that your certificates are valid only three months, therefore, updates are things you need to make sure. You can add an extension script to /etc/cron.d. By adding this script you can enable automatic updates. How do I test whether you’ve verified updates correctly? Do it with your Certbot! Type:
sudo certbot renew --dry-run
If no notification indicates an error then you have successfully verified the update on your Certbot.
Hopefully this article can provide answers on how to secure Nginx using let’s Encrypt on Ubuntu 18.04. Just try and good luck!