How to secure NGINX with Let's Encrypt

If you run NGINX and want to use free certificates, it's possible with Let's Encrypt.

nginxhero.jpg
Image: NGINX

It's become imperative that websites be secured with the HTTPS. If you run a small business, you might think that the cost of a TLS/SSL certificate is out of your budget. Think again. If you use Linux as your platform, and NGINX as your web server, you can do this with the help of Let's Encrypt.

I'm going to walk you through the process of securing NGINX with Let's Encrypt. I'll be doing so on Ubuntu 18.04, but the process will be similar on many Linux platforms (with a few adjustments). With that said, let's get started.

SEE: Information security policy template download (Tech Pro Research)

What you need

You need the following, in order to make this work:

  • A working Ubuntu Server with NGINX installed and running.
  • A server block created for your domain.
  • A fully registered domain name (for the sake of this how-to, I'll demonstrate with the standard example.com domain).

For an example on how to set up SSL with a self-signed certificate on NGINX, see How to enable SSL on NGINX, and for an example on how to set up an NGINX server block, see How to create NGINX server blocks on Ubuntu 18.04.

With those pieces in place, let's get to work.

Install Certbot

The tool that makes this happen is Cerbot. The version of Certbot available in the standard repository is out of date, so we need to install from the official Certbot repository. To do this (and install the necessary package), follow these steps:

  1. Open a terminal on your Linux server.
  2. Add the repository with the command sudo add-apt-repository ppa:certbot/certbot.
  3. Update apt with the command sudo apt-get update.
  4. Install Certbot's NGINX package with the command sudo apt install python-certbot-nginx.

Reload NGINX with the following command:

sudo systemctl reload nginx

Adjusting the firewall

If you happen to use a firewall (which you should), you need to make an adjustment to allow HTTPS traffic into your server. This can be done using the NGINX Full profile from the command line. To make this happen, issue the following two commands:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Obtaining the SSL certificate

Next, you need to obtain the SSL certificate. To do this, head back to the command line and issue the following (remembering to replace example.com with your fully qualified domain name):

sudo certbot --nginx -d example.com -d www.example.com

You will be prompted to enter an email address and agree to the EULA. Once you take care of this, the certbot command will communicate with the Let's Encrypt server to run a verification on your domain. Once that verification completes, you will be asked how to set up HTTPS. Select from one of these two options:

  • No redirect - Make no further changes to the webserver configuration.
  • Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.

Select your choice and hit Enter on your keyboard. After the configuration is loaded, NGINX will automatically be restarted with the new settings in place. When all of this completes, certbot will inform you that the certificates are stored in /etc/letsencrypt/live/example.com/ (where example.com is your specific domain name). These certificates are only valid for ninety days. Fortunately, during the installation of certbot, a cron job is created to automatically renew those certificates—so you don't have to bother. You can always test this (to make sure you don't wind up with an expired certificate on your site) with the command:

sudo certbot renew --dry-run

That command should succeed with no problem. You are good to go with NGINX and HTTPS. Point your browser to https://SERVER_DOMAIN (Where SERVER_DOMAIN is the fully qualified domain of your server), and the site should load, without issue, using your newly acquired SSL certificate.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.