This quick tutorial will show you how to set up a free SSL certificate from Let’s Encrypt on an Ubuntu 18.04 server, running Nginx as a web server.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
Let’s Encrypt is a free, automated, and open Certificate Authority.
Step 1: Installing Let’s Encrypt Client
Let’s Encrypt certificates are fetched via client software (Certbot) running on your server.
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
Step 2: Nginx configuration
Appropriate server block has to be present in Nginx configuration, in order for Certbot to find and configure SSL (specifically server_name):
. . . server_name example.com www.example.com; . . .
Don’t forget to check Nginx configuration Syntax:
sudo nginx -t
Also, you’ll need to reload Nginx:
sudo systemctl reload nginx
Step 3: Allowing HTTPS Through the Firewall (probably not needed)
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. By default, ufw is probably inactive. Therefore, we’ll check the status:
sudo ufw status
If active, you can let HTTPS traffic in like this:
sudo ufw allow 'Nginx Full' sudo ufw delete allow 'Nginx HTTP'
Step 4: Obtaining Free SSL Certificate
Run certbot command in order to obtain a certificate:
sudo certbot --nginx -d example.com -d www.example.com
-d specifies the names we’d like the certificate to be valid for
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for 90 days. This will encourage users to automate their certificate renewal process. The
certbot package we installed takes care of this for us by adding a renew script to
/etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
sudo certbot renew –dry-run
Finally, If no errors, everything is ready.
Add another domain (Expand)
For additional VHosts, simply type:
certbot certonly --webroot -w /var/www/vhost/domain.com/ --expand -d domain.com,www.domain.com
List Let’s Encrypt Certificates
Simply by typing:
$ certbot certificates