Securing Your Nginx with Let's Encrypt on Linux Ubuntu

·

5 min read

I never thought that securing a server with SSL is easy. This article provides you an easy guide to secure your Nginx with free SSL certificates obtained using Let's Encrypt. SSL stands for Secure Sockets Layer, the standard technology for keeping an internet connection secure. It encrypts transferred information between two systems such that it cannot be read or modified by an unwanted third party. Let's say you are sending your credit card information. Certainly, you don't want anyone else to read the information except the one you are sending it to. Therefore you should use SSL to encrypt communications between your server and the clients.

Before getting into the main guide, we assume that you have a registered domain that has been pointed to the IP address of your machine/server. We will use mydomain.com as our example. Make sure to replace all mydomain.com occurrences in the presented configuration with your own domain.

We also assume that you already configure your Nginx to serve your domain. Please refer to this for an introduction.

Further, you need to enable your firewall and allow HTTPS connections. See this.

Let's first install Certbot software and its Nginx plugin.

sudo apt update
sudo apt install certbot python3-certbot-nginx

After that, we can obtain an SSL certificate using this command.

sudo certbot --nginx -d mysite.com -d www.mysite.com

The above command assumes that you set the following configuration in your Nginx server configuration.

server_name mysite.com www.mysite.com;

For the first time, you will be asked for your email (see below). Give your email there.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator Nginx, Installer Nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Then, you have to read the Terms of Service and give your agreement.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

You will be further asked the following. It's up to you to answer.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

If the installation is successful, you will be asked whether you want to redirect HTTP traffic to HTTPS. I suggest you redirect it. But again, it's up to you.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Once everything is set up, you will get this message.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mysite.com and
https://www.mysite.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mysite.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mysite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mysite.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mysite.com/privkey.pem
   Your cert will expire on 2021-11-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Congratulation! You have obtained your SSL and install it to your Nginx configuration. Now you can visit your site via HTTP, e.g., https://mysite.com.

The SSL certificate will expire at a certain time. You have to renew it at that time. However, it is more convenient if your machine/server can renew it itself. Type this for that!

sudo systemctl status certbot.timer

And the result will be like below.

certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Thu 2021-08-12 12:13:44 UTC; 1h 24min ago
    Trigger: Fri 2021-08-13 02:15:06 UTC; 12h left
   Triggers: ● certbot.service

Aug 12 12:13:44 xxx systemd[1]: Started Run certbot twice daily.

To make sure your renewal process if working, try the following command.

sudo certbot renew --dry-run

If no errors, then you are successfull. Congratulations!