Wondering how to secure Nginx with let’s encrypt on ubuntu 16.04? Here’s how we do it.

Here at Bobcares, we have seen several such Nginx related queries as part of our Server Management Services for web hosts and online service providers.

Today, we’ll take a look at how to secure Nginx.

Know more about Let’s Encrypt

Let’s Encrypt is an open Certificate Authority (CA) that provides free TLS/SSL certificates. These certificates help in encrypting communication between the web server and your users.

To set up a TLS/SSL certificate with the Nginx web server on Ubuntu 16.04, we can use the Certbot. Moreover, we can make use of a Cron Job to automatically renew the certificate.

How to secure Nginx with Let’s Encrypt on ubuntu 16.04

Now let’s look into the process of securing Nginx using the Let’s Encrypt certificate.

1. Install the Certbot Let’s Encrypt Client

In order to obtain an SSL certificate to use Let’s Encrypt, first we need to install Certbot software on the server.

The Certbot which Ubuntu provides is outdated as it is in development. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions. So we can use that repository.

Now we shall add the repository by running the below command.

$ sudo add-apt-repository ppa:certbot/certbot

Now press the ENTER button to accept the installation. After that, update the package list to pick up the new repository’s package information.

$ sudo apt-get update

Finally, install Certbot’s Nginx package by running the below command.

$ sudo apt-get install python-certbot-nginx

Now, the Certbot is ready to use. However, in order to configure SSL for Nginx, we need to verify some of the Nginx’s configurations.

2. Setting up Nginx

Certbot can automatically configure SSL for Nginx. But it must find the correct server block in the config. This is done by looking for a server_name directive that matches the domain you are requesting a certificate for.

In case, if you are starting with a fresh Nginx install, you can update the default config file.

$ sudo nano /etc/nginx/sites-available/default

Find the existing server_name line and replace the underscore, _, with your domain name:

. . .
server_name example.com www.example.com;
. . .

Then save the file and quit your editor.

Now, verify the syntax of your configuration edits.

$ sudo nginx -t

In case, if you receive any errors then reopen the file and check for any typos. Then test it again.

Once the configuration’s syntax is correct, reload Nginx to load the new configuration.

$ sudo systemctl reload nginx

Now, the Certbot will be able to find the correct server block and update it.

3. Allow HTTPS Through the Firewall

If you’ve enabled the ufw firewall, then you need to just adjust the settings to allow the HTTPS traffic. Moreover, Nginx automatically registers a few profiles with ufw upon installation.

You can see the current setting by running the below command.

$ sudo ufw status

Now you must see the status to be active.

To additionally let in HTTPS traffic, we can allow the Nginx Full profile and then delete the redundant Nginx HTTP profile allowance:

$ sudo ufw allow ‘Nginx Full’
$ sudo ufw delete allow ‘Nginx HTTP’

Now the status must again show as active.

4. Obtaining an SSL Certificate

There are different ways to obtain an SSL certificate through different plugins. Reconfiguring Nginx and reloading the config whenever necessary is taken care of by the Nginx plugin.

sudo certbot --nginx -d example.com -d www.example.com

This runs certbot with the –nginx plugin, using -d to specify the names we’d like the certificate to be valid for.

If you are running the Certbot for the first time, then you will be asked to enter the email address and agree to the terms of service. After this, the certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If this is successful then the Certbot will ask how you’d like to configure the HTTPS settings.

Select your required choices and hit ENTER. Now the configuration will be updated.

Now the certificate is downloaded, installed, and loaded. Try to reload your website using https:// and check if you are able to see the green padlock.

5. Verify Certbot Auto-Renewal

The last step to set the Cert for Auto-Renewal.

The Certbot package we installed takes care of this for us by running ‘certbot renew’ twice a day via a systemd timer. For non-systemd distributions, this functionality is provided by a script that is placed in /etc/cron.d.

This task will run twice a day and will make sure to renew the SSL cert within a month of expiration.

To test the renewal process, you can run the below command.

$ sudo certbot renew --dry-run

If you receive no errors then you are all good.

[Need any further assistance with Nginx queries? – We are here to help you.]

Conclusion

Today, we saw how our Support Engineers install the Let’s Encrypt Certificate to secure the Nginx server.