How to Configure Let’s Encrypt SSL for Nginx on Ubuntu 18.04

Configuring Let’s Encrypt SSL Cert for Nginx on Ubuntu 18.04

Last updated on

Let’s Encrypt is a certificate authority that provides free SSL certificates that are just as secure as current paid certificates. In this guide we will configure an SSL certificate for Nginx on Ubuntu 18.04.

Prerequisites

You should be using a non-root user with sudo privileges as explained in Ubuntu 18.04 Initial Server Setup.

You should also have Nginx already installed and serving web pages before continuing with this guide. Please see Installing Nginx on Ubuntu 18.04.

1. Install Let’s Encrypt client (Certbot)

Add certbot to the repository. This is the Let’s Encrypt client.

sudo add-apt-repository ppa:certbot/certbot

Press ENTER if prompted.

Now update package list and install certbot.

sudo apt update
sudo apt install python-certbot-nginx

Press y and ENTER when prompted to continue.

2. Configure the Firewall

If you haven’t already done so, it is recommended that you enable the ufw firewall and add a rule for Nginx. Before enabling ufw firewall, make sure you add a rule for SSH, otherwise you may get locked out of your server if you are logged in remotely.

sudo ufw allow OpenSSH

Now add the “Nginx Full” profile and then delete the redundant “Nginx HTTP” profile if it exists.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

You can check the current firewall rules with:

sudo ufw status

We should now see our SSH and Nginx rules:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6) 

3. Add Domain Name to Server Block

Certbot automates the configuration of SSL for Nginx by looking for the server_name directive that matches the domain you’re requesting a certificate for. If you have already configured the server_name directive previously, you can skip to Step 4.

If you haven’t added your domain to the server_name directive or are unsure what it is, you should check the default server block file in /etc/nginx/sites-available/default to ensure your domain is listed there. If you followed one of our previous guides on setting up multiple domains, your config file might be located in in /etc/nginx/sites-available/mydomain.com

To do this, open the file in nano.

sudo nano /etc/nginx/sites-available/default

Look for the line server_name. (You can use CTRL + W to search).

Change this to your domain name. In our example, example.com. We will also add www. here as well.

/etc/nginx/sites-available/default
...
server_name example.com www.example.com;
...

Save changes and close nano (Press CTRL + X and then press y and ENTER)

Check that the Nginx config file is valid.

sudo nginx -t

If valid, restart Nginx service.

sudo systemctl restart nginx

If you have multiple domains, simply repeat Step 3 and edit the relevant Nginx configuration files (e.g /etc/nginx/sites-available/example2.com)

4. Get an SSL Certificate

We can now generate certs using certbot. Replace example.com with your own domain. (Note: If you are using CloudFlare, ensure it is disabled/paused before running this tool as it might interfere.)

If you want to use the www prefix for your domain, you will need to obtain a cert for that as well. Even if you’re only redirecting www.example.com to example.com, you will still need a separate cert for the www sub domain. Use -d to add even more domains or sub domains if you wish.

sudo certbot --nginx -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Enter an email address where you can be contacted in case of urgent renewal and security notices.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

Press a and ENTER to agree to the Terms of Service.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

Press n and ENTER to not share your email address with EFF.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Certbot will now attempt to obtain the certificates for your domain(s).

If successful, you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Press 2 and ENTER to redirect HTTP traffic to HTTPS.

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-08-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

You’re all done!

5. Test SSL

You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.

A successful test should receive an A rating.

6. Auto Renewal

As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.

To test that this renewal process is working correctly, you can run:

sudo certbot renew --dry-run

Cloudflare Users

Please ensure your Cloudflare SSL settings are correct. Log in to Cloudflare, go to Crypto and make sure SSL is set to Full (Strict)

Let me know in the comments if this helped. Follow me @DevAnswers or read more.

1 Star2 Stars3 Stars4 Stars5 Stars 5.00 (5 votes)

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

3 replies

After installing this for all three of my sites, none of them pass the SSL test, and none of them will load anymore. Did I do something wrong? I copied each line of code here, and pasted it into Terminal, only changing the domain names. Everything “seemed” to work fine, until the end test.

I figured it out. Have to forward port 443 on router to server. Everything works now. Thanks for this tutorial. 🙂