How To Secure Nginx with Let’s Encrypt on Ubuntu 20.04

how to secure nginx with let's encrypt on ubuntu 20.04

Securing a website running with Nginx as a web server can be done with Let’s Encrypt, and that is why we are writing this tutorial for you.

Let’s Encrypt is a Certificate Authority that provides free TLS/SSL certificates valid for 90 days. SSL stands for Secure Sockets Layer and an SSL certificate is a digital certificate that enables encrypted connection and authentication of the website identity. In this blog post, we will use Certbot to obtain a free SSL certificate for Nginx.

Installing Free Let’s Encrypt SSL certificate on Ubuntu 20.04 with Certbot is a straightforward process and should take up to 10 minutes. Let’s get started!

Prerequisites

  • Fresh install of Ubuntu 20.04
  • User privileges: root or non-root user with sudo privileges
  • Valid A record of the domain pointed to you server IP addess (yourdomain.com and www.yourdomain.com)

Update the System

Before we start with the installation process we need to update the system to get the latest packages and updates available.

sudo apt update -y && sudo apt upgrade -y

Install Nginx Web Server

To install the Nginx web server execute the following commands:

sudo apt install nginx -y

Once, the installation is completed, enable and start the Nginx service:

sudo systemctl enable nginx && sudo systemctl start nginx

To check if everything is OK, check the status of the service:

sudo systemctl status nginx

You should receive the following output:

root@vps:~# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-02-06 19:34:56 UTC; 11s ago
       Docs: man:nginx(8)
    Process: 322857 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 322858 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 322859 (nginx)
      Tasks: 5 (limit: 4617)
     Memory: 5.0M
     CGroup: /system.slice/nginx.service
             ├─322859 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;

Create Nginx Virtual Host

Before we continue with installing Free Let’s Encrypt we need to create a virtual host file containing our domain name. Go into the Nginx configuration directory and create the file.

cd /etc/nginx/conf.d/ && sudo nano yourdomain.com.conf

Paste, the following lines of code.

server {
        listen 80;
        root /var/www/html;
        index  index.php index.html index.htm;
        server_name yourdomain.com;

        error_log /var/log/nginx/yourdomain.com_error.log;
        access_log /var/log/nginx/yourdomain.com_access.log;

        client_max_body_size 100M;
        location / {
                try_files $uri $uri/ /index.php?$args;
        }
}

Check the Nginx configuration syntax if is OK.

nginx -t

You should receive the following output:

root@vps:/etc/nginx/conf.d# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you receive this output you can restart the Nginx service and access your website.

sudo systemctl restart nginx

Install Certbot

At this moment, our website is running over the HTTP protocol. Installing Free Let’s Encrypt SSL certificate will make our website run securely over the HTTPS protocol. Before we start with obtaining the certificate we need to install the python certbot for Nginx.

sudo apt install certbot python3-certbot-nginx

Once, the certbot is installed successfully we can proceed with the main step in this tutorial about obtaining an SSL certificate.

Need a fast and easy fix?
✔ Unlimited Managed Support
✔ Supports Your Software
✔ 2 CPU Cores
✔ 2 GB RAM
✔ 50 GB PCIe4 NVMe Disk
✔ 1854 GeekBench Score
✔ Unmetered Data Transfer
NVME 2 VPS

Now just $43 .99
/mo

GET YOUR VPS

Obtaining an SSL Certificate

To run the certbot with Nginx plugin specifying the name of your domain execute the following command:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

After you execute this command there will be a couple of entries that you will need to fill, such as the email address, agreement about the terms and conditions, if you want to share your email adress or not, and the redirect options.

root@vps:~# sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@yourdomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
http-01 challenge for www.yourdomain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/example.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/example.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/example.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/example.conf

If everything is set up as should be the certificate will be installed and you will receive the message below.

Congratulations! You have successfully enabled https://yourdomain.com and
https://www.yourdomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2022-05-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, you can access your website securely at https://yourdomain.com

Congratulations! You successfully secured the Nginx with Free Let’s Encrypt SSL certificate on your Ubuntu 20.04 server.

Of course, you don’t have to install the SSL certificate on your own, and if you use one of our SSD VPS Hosting services, in which case you can simply ask our expert system administrators to install it for you and secure your website. They are available 24×7 and will take care of your request immediately.

If you liked this post, on how to secure Nginx with Lets Encrypt on Ubuntu 20.04, please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.

Leave a Comment