How To

Install Let’s Encrypt To Secure Nginx Web Server

Google+ Pinterest LinkedIn Tumblr

Introduction

Let’s Encrypt is a free and open Certificate Authority (CA) developed by the Internet Security Research Group (ISRG). It provides free TLS/SSL certificates to enable encrypted HTTPS on the web server. In the last few years, most giant search engines like Google, Yahoo, Baidu encouraged webmasters to install a secure web server to serve the data. So for the startups or a newbie blogger, it is essentials to have HTTPS enabled web server for better SEO. Let’s Encrypt plays a very important role in such case by providing easy to obtain and free SSL. In this tutorial, we will learn how to install Let’s Encrypt on our Nginx web server to make it more secure.

Install CertBot

We have to first install the certbot software on our server to obtain the free SSL certificate from the Let’s Encrypt. Certbot is a fully featured tool that can automate the obtaining and renew Let’s Encrypt SSL certificates and configuring web servers to use them. To install certbot on the server first we have to add a repository for it. Run this below command to add the repository on the server

sudo add-apt-repository ppa:certbot/certbot

Now update the server packages to pick up the new repository by running the below command

sudo apt-get update

And then finally run the below command to install certbot software

sudo apt-get install python-certbot-nginx

After running the above command certbot installed successfully in our system but it is not configured with Nginx yet. We have to verify some setting in our Nginx

Setting Up Nginx To Use Let’s Encrypt

If certbot find the server block for the domain which you are requesting for the certificate then certbot can automatically configure SSL for Nginx.

To verify the nginx configuration setting run the below command

sudo nginx -t

If you find any errors then fix that errors and reload the Nginx

sudo systemctl reload nginx

Now certbot will be able to find the right server block.

Allowing  HTTPS

If your firewall is enabled then to allow HTTPS traffic, we allow the Nginx full profile by using the below command in the terminal

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Check the updated status by running below command

sudo ufw status

Obtain SSL Certificate

After doing all the above steps, you can now run the certbot and obtain the SSL certificate files for your domain.

sudo certbot --nginx -d your_domain.com -d www.your_domain.com

Above command runs the certbot with Nginx plugin. If this is your first time then you will be asked to provide an email address and agree to the terms of service. After doing this, certbot will ask how would you like to configure HTTPS settings.

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select the appropriate number according to your choice and hit Enter. After doing this, certbot updated HTTPS setting successfully and display you a message with its stored location.

Your certificates installed and loaded successfully on the Nginx server. Now you can go to the browser and access your domain using https in the URL. you will notice that it indicates that your site is secured.

You can also test your server using the SSL Labs Server Test.

Auto Renew Let’s Encrypt SSL Certificate

The SSL certificates which you installed using Let’s encrypt is valid for only 90 days. But installed certbot packages take care of this by running “certbot renew” twice a day. To verify the renewal process run the below command

sudo certbot renew --dry-run

If there are no errors, then certbot will auto-renew the certificate and reload nginx. If in case auto renewal is failed then it will email you on the specified email address.

Conclusion

You now successfully installed certbot and downloaded and setup SSL certificate for your Nginx web server. If you want to learn more about Let’s Encrypt then you can refer to their official documentation.

Write A Comment

Pin It