How to Secure Nginx with Let’s Encrypt on Ubuntu 22.04

Securing your Nginx web server with Let’s Encrypt on Ubuntu 22.04 is essential for protecting your website and ensuring encrypted communication between your server and visitors. Below, we’ll guide you through the steps to achieve this:

In this tutorial, we’ll cover how to secure your Nginx web server with Let’s Encrypt SSL certificates on Ubuntu 22.04.

Prerequisites

Before we begin, make sure you have:

  • An Ubuntu 22.04 server with Nginx installed.
  • A registered domain name pointing to your server’s public IP address.

Step 1: Installing Certbot

Certbot is an open-source tool that simplifies the process of obtaining and renewing Let’s Encrypt SSL certificates. To install Certbot and its Nginx plugin, use the following commands:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Step 2: Acquiring the SSL Certificate

Ensure your domain is pointing to your server’s IP address, as verification is required in obtaining an SSL certificate.


You should verify if your Nginx configuration file for port 80 aligns with the following configuration below:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com;

    index index.php index.html index.htm;

    # Additional configuration...
}

Replace yourdomain.com with your registered domain name, then use the following command to obtain and install the SSL certificate:

sudo certbot --non-interactive -m you@email.com --agree-tos --no-eff-email \
--nginx -d yourdomain.com -d www.yourdomain.com --redirect

Upon executing this command, Certbot will run and perform all necessary tasks to validate and configure SSL for your domains.

Expected Output:

After the installation is complete, Certbot will provide output similar to the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for yourdomain.com and www.yourdomain.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-07-04.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for yourdomain.com to /etc/nginx/sites-enabled/yourdomain.com
Successfully deployed certificate for www.yourdomain.com to /etc/nginx/sites-enabled/yourdomain.com
Congratulations! You have successfully enabled HTTPS on https://yourdomain.com and https://www.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Step 3: Verifying Nginx Configuration

Certbot should automatically modify your Nginx configuration files. It’s always a good practice to double-check the generated settings:

Review your domain’s Nginx configuration file:

sudo nano /etc/nginx/sites-available/yourdomain.com

Confirm that it includes pointers to the SSL certificate and key:

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com;
    index index.php index.html index.htm;

    # Additional configuration...

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

Ensure HTTP traffic is redirected to HTTPS:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;

    return 301 https://$host$request_uri;
}

Validate the Nginx configuration:

sudo nginx -t

If no issues are detected, reload Nginx to activate the changes:

sudo systemctl reload nginx

If you want more detailed setup instructions, visit my comprehensive guide on installing WordPress with a free SSL certificate from Let’s Encrypt.

Step 4: Configuring Automatic Renewal

By default, Certbot automatically creates a cron job that renews any expiring certificates. To confirm that the automatic renewal is set up:

cat /etc/cron.d/certbot

The cron job should look similar to this:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

This means Certbot will check for certificate renewals twice daily and renew them if they are within 30 days of expiration.

Test the renewal process with a dry run:

sudo certbot renew --dry-run

If this command executes without any issues, auto-renewal is set up successfully.

Conclusion

Securing your Nginx web server with Let’s Encrypt on Ubuntu 22.04 is a crucial step in ensuring the safety and integrity of your website. By following the steps outlined in this guide, including installing Certbot, acquiring SSL certificates, verifying Nginx configuration, and configuring automatic renewal, you can protect your site’s communication and data effectively. With encrypted communication and automated certificate renewal, you can maintain a secure and reliable online presence for your visitors.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.