JIYIK CN >

Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on your web server. It simplifies the process by providing a software client, Certbot, which attempts to automate most, if not all, of the required steps. Currently, the entire process of obtaining and installing certificates is fully automated on both Apache and Nginx.

In this tutorial, we will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up the certificate to renew automatically.

We will use a separate Nginx server configuration file instead of the default one. We recommend creating a new Nginx server block file for each domain as it helps avoid common mistakes and allows you to maintain a fallback configuration with the default file.

Before we start the tutorial, we need the following prerequisites:

• Set up an Ubuntu 20.04 server, including a sudo-enabled non-root user and a firewall.
• A registered domain name. For this article, we will use example.com. We can purchase a domain name from Namecheap, get one for free through Freenom, or use another domain registrar.
• The following two DNS records are set up for the server.

• The A record with example.com points to the server's public IP address.
• The A record for www.example.com points to the server's public IP address.

• Install Nginx as   described in the article How to Install Nginx on Ubuntu 20.04 . Make sure there is a Server block for the domain. This article will use /etc/nginx/sites-available/example.com as an example.

Step 1: Install Certbot

The first step in obtaining an SSL certificate using Let's Encrypt is to install the Certbot software on your server.

Install Certbot and its Nginx plugin using apt:

$ sudo apt install certbot python3-certbot-nginx

Certbot is now ready to use, but in order for it to automatically configure SSL for Nginx, we need to verify some of Nginx's configuration.

Step 2: Confirm Nginx configuration

Certbot needs to be able to find the correct Server block in the Nginx configuration in order to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain we are requesting a certificate for.

If you followed the Server block setup steps in the Nginx installation tutorial, you should have a Server block for your domain in /etc/nginx/sites-available/example.com with the server_name directive already set up correctly.

To inspect the contents of the configuration, open the domain's configuration file using nano or your favorite text editor:

$ sudo nano /etc/nginx/sites-available/example.com

Find the existing server_name line. It should look like this:

/etc/nginx/sites-available/example.com

...
server_name example.com www.example.com;
...

If yes, exit the editor and proceed to the next step.

If not, you will need to update the file to match. Then save the file, exit the editor, and verify the syntax of your configuration edits for errors:

$ sudo nginx -t

If errors occur, reopen the server block file and check for any typos or missing characters. Once the configuration file syntax is correct, reload Nginx to load the new configuration:

$ sudo systemctl reload nginx

Certbot can now find the correct Server block and automatically update it.

Next, let's update the firewall to allow HTTPS access.

Step 3: Allow HTTPS through the firewall

If you enabled the ufw firewall as recommended in the prerequisites above, you need to adjust the settings so that it allows HTTPS traffic. Fortunately, Nginx registers some configuration files with ufw when it is installed.

We can view the current settings by typing:

$ sudo ufw status

It might look like this, which means only HTTP traffic is allowed to the web server:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To additionally allow HTTPS traffic, enable the Nginx Full profile and remove the redundant Nginx HTTP profile:

$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'

The status should now look like this:

$ sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Next, let's run Certbot and obtain our certificate.

Step 4: Obtain an SSL certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the configuration when necessary. To use this plugin, type the following:

$ sudo certbot --nginx -d example.com -d www.example.com

This runs certbot with the --nginx plugin, using -d to specify the domain we want the certificate to be valid for.

If this is the first time running certbot, we will be prompted to enter our email address and agree to the terms of service. Once this is completed, certbot will communicate with the Let's Encrypt server and then verify that we have control over the domain for which we are requesting a certificate.

If successful, certbot will ask how we would like to configure our HTTPS settings.

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Once you’ve made your selection, press ENTER. The configuration will be updated and Nginx will reload to pick up the new settings. certbot will finish with a message telling us that the process was successful and where the certificates are stored:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The certificate has been downloaded, installed, and loaded. Try reloading the site using https:// and pay attention to your browser's security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test our server using the SSL Labs Server Test, it will get an A grade.

Let's end this article by testing the update process.

Step 5: Verify Certbot automatic renewal

Let's Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that runs twice a day and automatically renews any certificates that are within 30 days of expiration.

We can query the status of the timer using systemctl:

$ sudo systemctl status certbot.timer

The results are shown below

● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
   Triggers: ● certbot.service

To test the renewal process, we can do a dry run with certbot:

$ sudo certbot renew --dry-run

If you don’t see any errors, you’re all set. If necessary, Certbot will renew the certificate and reload Nginx to pick up the changes. If the automatic renewal process fails, Let’s Encrypt will send a message to the email we specified, warning us when the certificate is about to expire.

Summarize

In this article, we installed the Let's Encrypt client certbot, downloaded SSL certificates for our domains, configured Nginx to use these certificates, and set up automatic certificate renewal.