Learn How To Setup Let’s Encrypt With Nginx on Ubuntu 16.04
Table of Contents
- Prerequisites
- Install Certbot
- Configuring Nginx
- Obtaining a Let’s Encrypt SSL certificate
- Automating renewal
- Enhanced configuration
Let’s Encrypt is a Certificate Authority (CA) that provides free SSL certificates with an automated client. By using a Let’s Encrypt SSL certificate, you can encrypt traffic between your website and your visitors. The entire process is simple, and renewals can be automated. Also, note that the installation or renewal of certificates does not cause any downtime.
In this tutorial, we’ll use Certbot to obtain, install and automatically renew your SSL certificate. Certbot is actively being developed by the Electronic Frontier Foundation (EFF) and it is the recommended client for Let’s Encrypt.
Prerequisites
- An ITWeb.Services instance running Ubuntu 16.04
- A registered domain name pointing to your server
- Nginx
Install Certbot
To obtain a Let’s Encrypt SSL certificate, you have to install the Certbot client on your server.
Add the repository. Press the ENTER key when prompted to accept.
add-apt-repository ppa:certbot/certbot
Update the package list.
apt-get update
Proceed by installing Certbot and Certbot’s Nginx package.
apt-get -y install python-certbot-nginx
Configuring Nginx
Certbot automatically configures SSL for Nginx, but to do so it needs to find the server block in your Nginx configuration file. It does this by matching the server_name
directive in the configuration file with the domain name for which you’re requesting a certificate.
If you’re using the default configuration file /etc/nginx/sites-available/default
open it with a text editor such as nano
and find the server_name
directive. Replace the underscore, _
, with your own domain name(s):
nano /etc/nginx/sites-available/default
After editing the configuration file, the server_name
directive should look as follows. In this example, I assume that your domain is example.com and that you’re requesting a certificate for example.com and www.example.com.
server_name example.com www.example.com;
Proceed by verifying the syntax of your edits.
nginx -t
If the syntax is correct, restart Nginx to use the new configuration. If you get any error messages, reopen the configuration file and check for any typos, then try again.
systemctl restart nginx
Obtaining a Let’s Encrypt SSL certificate
The following command will obtain a certificate for you. Edit your Nginx configuration to use it, and reload Nginx.
certbot --nginx -d example.com -d www.example.com
You can also request an SSL certificate for additional domains. Just add the “-d
” option as many times as you like.
certbot --nginx -d example.com -d www.example.com -d example.net -d example.net
In case you only want to obtain the certificate from Let’s Encrypt without installing it automatically you can use the following command. This makes temporary changes to your Nginx configuration to obtain the certificate and reverts them once the certificate has been downloaded.
certbot --nginx certonly -d example.com -d www.example.com
If you are running Certbot for the first time, you will be prompted to enter an email address and agree to the terms of service. This e-mail address will be used for renewal and security notices. Once you have provided an email address, Certbot will request a certificate from Let’s Encrypt and run a challenge to verify that you control the domain in question.
If Certbot can obtain an SSL certificate, it will ask how you would like to configure your HTTPS
settings. You can either redirect visitors who visit your website over an unsecured connection or let them access it over the unsecured connection. This should usually be enabled because it ensures that visitors only access the SSL-protected version of your website. Select your choice, then hit ENTER.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Finally, Certbot will confirm that the process was successful and where your certificates are stored. Your certificates are now downloaded and installed.
Automating renewal
Because Let’s Encrypt is a free certificate authority, and to encourage users to automate the renewal process, certificates are only valid for 90 days. Certbot will take care of renewing certificates automatically. It does so by running certbot renew
twice per day via systemd
.
You can check that automatic renewal is working by running this command.
certbot renew --dry-run
You can also manually renew your certificate at any time by running the following command.
certbot renew
Enhanced configuration
The commands above obtain and install the SSL certificate with a configuration that is suitable for most cases. If you want to implement advanced security measures for your website, you can use the following command to obtain the certificate.
certbot --nginx --rsa-key-size 4096 --must-staple -d example.com -d www.example.com
The --rsa-key-size 4096
uses a 4096-bit RSA key instead of 2048 bit key, which is more secure. The downside of this is that a larger key results in a slight performance overhead. Additionally, older browsers and devices may not support 4096-bit RSA keys.
The --must-staple
adds the OCSP Must Staple extension to the certificate and configures Nginx for OCSP stapling. This extension allows browsers to verify that your certificate has not been revoked and can be trusted. Not all browsers support this feature, however.
Need help?
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!