Secure Nginx with Let’s Encrypt SSL Certificate on Ubuntu 18.04

Filed Under: NGINX

What is SSL Certificate?

Over time, cases of internet related security breaches have been on the rise as hackers continue working round the clock to steal user data for malicious purposes. An SSL certificate is a digital certificate that is installed on website servers primarily for encrypting data sent between the user browser and the server so that only the intended recipient accesses it. This is crucial because, without encryption, information is sent as plain text data and can easily be intercepted by hackers.

For this reason, most e-commerce stores and online money payment platforms such as PayPal encrypt their websites. SSL certificate also allows for authentication and ensures that information is sent to the right server and not a hacker.

Google Likes Secure Sites

SSL certificate helps to rank your site higher in Google. According to Google’s announcement, SSL encrypted sites will rank higher than those without and which are considered unsafe. A secured site is symbolized by a padlock on the URL bar and the URL preceded by https instead of HTTP. If your sites lack secure HTTPS extension, Google indicates the site URL as “Not Secure” and this can negatively impact
your site rankings.

Nginx with Let’s Encrypt SSL Certification on Ubunutu

In this article, we will look at how to secure Nginx with Let’s encrypt SSL on Ubuntu 18.04. Let’s Encrypt is a free and automated SSL provided by Let’s encrypt authority. By 2018, Let’s Encrypt had secured over 150 million websites.

Let’s gets started and see how we can secure Nginx with Let’s encrypt SSL on Ubuntu 18.04.

Prerequisites

To get started, ensure you have the following:

  • Server instance of Ubuntu server 18.04 with ssh access
  • A non-root use with sudo privileges
  • A fully Qualified Domain Name (FQDN) with an A record pointed to the server’s IP address
  • In this example , we are going to use the domain name crazytechgeek.info which is pointed to a VPS with IP address 18.191.46.130.

Step 1. Installing Nginx

The first thing will be to install Nginx web server. But first, update your system by logging in as a non-root user and executing the following command.

$ sudo apt update

Next, install Nginx with the following command.

$ sudo apt install nginx

Output:

apt Install Nginx

Once installed, verify that Nginx is running by executing the following command.

$ sudo systemctl status nginx

Output:

Check Nginx Status

Great! Now that we have installed our web server, let’s proceed to the next step.

Step 2. Install Certbot

Let us now install Certbot on our server. In this example, we will use the Ubuntu software repository that contains all the updated files. To add the Certbot repository run the following command.

$ sudo add-apt-repository ppa:certbot/certbot

Output:

Installing Certbot

Installing Certbot

To make the system repositories aware of the changes made, please update the system.

$ sudo apt update

Step 3. install Certbot Nginx package

We are then going to install the Certbot Nginx package. To achieve this run the command below:

$ sudo apt-get install python-certbot-nginx

Output

Installing Certbot

Step 4. Updating Firewall to allow HTTPS traffic

we need to allow HTTPS traffic through the firewall for SSL to work using port 443. Let’s first check the status of the firewall.

$ sudo ufw status

Output

Sudo Ufw Status

Before we enable the firewall, let’s first allow “Nginx Full” which will take care of both HTTP and HTTPS.

$ sudo ufw allow 'Nginx Full'

Output

Ufw Status Active

Let us now enable the ufw firewall. Hit ‘y’ when prompted.

$ sudo ufw enable

Output

Sudo Ufw Enable

Let’s verify if the rules were added to the firewall.

$ sudo ufw status

Output

Ufw Status Active

Ufw Status Active

Step 5. Generating SSL certificate

The last part is the generation of the Let’s Encrypt SSL certificate. To achieve this, use the syntax below.

$ sudo certbot --nginx -d example.com -d www.example.com

This will generate the SSL certificate that will be valid for example.com as well as www.example.com.

In our case, we shall have;

$ sudo certbot --nginx -d crazytechgeek.info -d www.crazytechgeek.info

Output

Obtaining A New Certificate

If you are running Certbot for the first time, you will first be prompted to enter an Email address.

Communication will then be initiated with Let’s Encrypt server and try to verify that you control the domain you are asking for a certificate.

Certbot Enter Email Address

Next. Press A to agree to the terms of service.

Agree With Terms Of Service

Next, you will be asked whether you would like your email address to be shared with EFF. Here, you can either decide to opt in or out.

Willing To Share Your Mail Certbot

The Next step is where everything matters. This is the point where you will be required to redirect HTTP to HTTPS requests. Select the second option.

Redirect HTTP To HTTPS

If all went well, you will get a message verifying that all went well.

Congratulations Lets Encrypt Installed

Wonderful! you have successfully installed Let’s encrypt SSL on your Nginx web server.

To verify this, Go to your server’s address in the browser and refresh.

nginx-secured

Take note that the URL has changed from HTTP to HTTPS at the beginning. To view more information about the SSL certificate, click on the padlock symbol and select ‘Certificate’ option.

View Certificate Info

Output

Lets Encrypt Ssl Certificate Info

Renew Let’s Encrypt SSL Certificate

Let’s encrypt certificate validity is 90 days. This means renewal is after 3 months. The renewal for automation is automatically done by Let’s encrypt. To test the renewal process, do a dry run with Certbot as shown.

sudo certbot renew --dry-run

Certbot Renew Dry Run

If there are no errors then, everything went according to the plan and as needed the auto-renewal of will take place. All messages about CA expiration will be sent to the Email address specified during configuration.

Comments

  1. Rod Schell says:

    Please add me to you newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *

close
Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages