Let’s Encrypt Free SSL Setup – Nginx (Ubuntu 18.04)


Let’s Encrypt Free SSL Setup – Nginx (Ubuntu 18.04)

Introduction

This quick tutorial will show you how to set up a free SSL certificate from Let’s Encrypt on an Ubuntu 18.04 server, running Nginx as a web server.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Let’s Encrypt is a free, automated, and open Certificate Authority.

Step 1: Installing Let’s Encrypt Client

Let’s Encrypt certificates are fetched via client software (Certbot) running on your server.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Step 2: Nginx configuration

Appropriate server block has to be present in Nginx configuration, in order for Certbot to find and configure SSL (specifically server_name):

. . .
server_name example.com www.example.com;
. . .

Don’t forget to check Nginx configuration Syntax:

sudo nginx -t

Also, you’ll need to reload Nginx:

sudo systemctl reload nginx

Step 3: Allowing HTTPS Through the Firewall (probably not needed)

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. By default, ufw is probably inactive. Therefore, we’ll check the status:

sudo ufw status

If active, you can let HTTPS traffic in like this:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Step 4: Obtaining Free SSL Certificate

Run certbot command in order to obtain a certificate:

sudo certbot --nginx -d example.com -d www.example.com

-d specifies the names we’d like the certificate to be valid for

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for 90 days. This will encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

sudo certbot renew –dry-run

Finally, If no errors, everything is ready.

Add another domain (Expand)

For additional VHosts, simply type:

certbot certonly --webroot -w /var/www/vhost/domain.com/ --expand -d domain.com,www.domain.com

List Let’s Encrypt Certificates

Simply by typing:

$ certbot certificates