Let’s Secure Nginx With Let’s Encrypt On Ubuntu 20.04

Secure Nginx with let's encrypt on ubuntu 20.04

Introduction

In this tutorial, we are going to discuss how to install Let’s Encrypt SSL with Nginx on Ubuntu 20.04. So, your site can be accessed with HTTPS protocol.

Let’s Encrypt is widely known to offer users with an easy option to obtain and install free SSL/TLS certificates, this way one can easily secure their server encrypted with HTTPS. Let’s Encrypt actually provides a software client called Certbot which attempts to that automates almost all HTTPS installation steps, and is application for both Nginx as well as Apache web servers.

So, let’s discuss about some prerequisites which must be considered before the installation. Do make sure to create a new Nginx server block files for each of your domain to avoid common mistakes. This also helps to maintain default files on your server to fix any issue if occurs while the installation is processed.

Prerequisites

  • Ubuntu 20.04 server with LEMP installed. Click here to install LEMP on your server.
  • Super user (sudo) enabled user and a firewall (UFW).
  • A domain name, we are using servonode.com as example. You can get one for you from any domain vendors.
  • Both, the www and non-www DNS records set up on server.

Steps to install Let’s Encrypt free SSL on Nginx

Once you met all necessary prerequisites, you can follow the steps discussed ahead to install free SSL on your Nginx server.

Step 1: Install Certbot (Let’s Encrypt Client Software)

Since the Let’s Encrypt offers a free software client named Certbot to automate free SSL installation process, you need to install the application on Ubuntu 20.04. Below is the command to run to install Certbot and its Nginx plugin with apt:

sudo apt install certbot python3-certbot-nginx

Now, Certbot is all ready to be used to secure your Nginx server. But, in order to automate the process, it’s essential to confirm the Nginx’s configuration file.

Step 2: Verify Nginx Server Block

In order to make Certbot work properly, it requires to find the correct server block on Nginx configuration file to install and configure SSL. If you have already configured a server block, it might be saved at /etc/nginx/sites-available/servonode.conf (servonode.conf is our example) for the supposed domain servonode.com.

In order to check the same in your case, open the server block configuration file using Ubuntu text editor (nano).

sudo nano /etc/nginx/sites-available/servonode.conf

Scroll down the block to find server_name line, it should look like the one below:

/etc/nginx/sites-available/servonode.conf
...
server_name servonode.com www.servonode.com;
…

Note: Replace “servonode.com” with your own domain. It might be as per your requirement since you have already configured the server block. If not, update it with the correct values.

Once done, save and exit the file. Now check the nginx configuration for any syntax errors with the commands below.

sudo nginx -t

In case if above command shows you error, there might be some mistake in your Nginx server block for your domain. Do check it for mistakes and run above command to verify if everything is ok. If no error is reported, reload Nginx to load the new settings.

sudo systemctl reload nginx

Now, the Let’s Encrypt Certbot can identify the proper server block, and update it easily. In the next step, you need to update firewall and allow HTTPS protocol.

Step 3: Allow HTTPS Traffic In Firewall

Since the UFW firewall is enabled, it’s suggested to make some changes to allow HTTPS. To check the current status of firewall on your Ubuntu server 20.04, execute the command below.

sudo ufw status

The above command will show you output as mentioned below.

Status: active

To Action From
-- ------ ----
OpenSSH ALLOW Anywhere 
Nginx HTTP ALLOW Anywhere 
OpenSSH (v6) ALLOW Anywhere (v6) 
Nginx HTTP (v6) ALLOW Anywhere (v6)

Now, you need to add an additional setting to allow HTTPS traffic through firewall. Just run the commands:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Recheck your UFW status with previously mentioned command and the output will look like:

Status: active

To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)

Once done, you can run Certbot and fetch the certificates for your domain and configure it for server block in Nginx.

Step 4: Get SSL Certificate

To get SSL certificate for your domain through plugins used by Certbot, run the command below.

sudo certbot --nginx -d servonode.com -d www.servonode.com

In the above command, Certbot will create certificates for selected domain names using Nginx plugin. -d is used to specify domains for which certificate is to be generated.

While running Certbot, you will be asked to enter your email address, and read its terms of service. So, follow the on screen instructions according to your requirements. Once the process is successfully completed, Certbot will ask you to configure the HTTPS redirect settings. Select 1 or 2 depending upon your need, either to ignore redirection to HTTPS or redirect your traffic to HTTPS.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

After the selection of correct option, the Nginx configuration for your domain will be updated automatically. You can see below message upon successful installation of SSL certificate and its settings.

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/servonode.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/servonode.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

After the above message is shown on screen, you can re-visit your website using https:// protocol, the browser will show security indicator as well. At last, you will need to finish the renewal process for the certificates.

Step 5: Verify Certbot Auto-Renewal

You should be aware that Let’s Encrypt offers the certificate validity of 90 days only. So, it’s advised to automate its renewal process by running below command.

sudo systemctl status certbot.timer

With this command, it adds a systemd timer which runs twice everyday to renew any certificate generated by Certbot which is to be expired within next 30 days. Once the command runs, you will get an output like below.

● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
Triggers: ● certbot.service

In order to confirm if the renewal process, you can do a dry run using certbot. Just run the command below.

sudo certbot renew –dry-run

If this command shows no errors, you have successfully configured Certbot for automatic renewal of generated certificates for your domain in Nginx. You will also receive an email from Let’s Encrypt when your certificates are about to expire.

So, In this tutorial, you have successfully learned to install Let’s Encrypt SSL on your Nginx server and configuring it for your domain. If you have any query or suggestion regarding this tutorial, you can share with us on our Suggest Us page.