Secure Nginx with Let's Encrypt on Ubuntu 20.04
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/
Last updated
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/
Last updated
Let’s Encrypt is a free, automated, and open certificate authority developed by the Internet Security Research Group (ISRG) that provides free SSL certificates.
Certificates issued by Let’s Encrypt are trusted by all major browsers and valid for 90 days from the issue date.
This tutorial explains how to install a free Let’s Encrypt SSL certificate on Ubuntu 20.04, running Nginx as a web server. We’ll also show how to configure Nginx to use the SSL certificate and enable HTTP/2.
Before you proceed, make sure that you have met the following prerequisites:
You have a domain name pointing to your public IP. We’ll use example.com.
You have Nginx installed on your CentOS server.
Your firewall is configured to accept connections on ports 80 and 443.
We’ll use certbot to obtain and renew the certificates.
Certbot is a fully-featured and easy to use tool that automates the tasks for obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers to use the certificates.
The certbot package is included in the default Ubuntu repositories. To install it run the following commands:
Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel.
Generate a new set of 2048 bit DH parameters by typing the following command:
You can also use a key length up to 4096 bits, but the generation may take more than 30 minutes, depending on the system entropy.
To obtain an SSL certificate for the domain, we’re going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to verify that the requested domain resolves to the server where certbot runs.
To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.
The following commands will create the directory and make it writable for the Nginx server:
To avoid duplicating code, we’ll create two snippets and include them in all Nginx server block files.
Open your text editor and create the first snippet, letsencrypt.conf:
/etc/nginx/snippets/letsencrypt.conf
Copy
Next, create the second snippet, ssl.conf, which includes the chippers recommended by Mozilla , enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.
/etc/nginx/snippets/ssl.conf
Copy
Once the snippets are created, open the domain server block file and include the letsencrypt.conf snippet as shown below:
/etc/nginx/sites-available/example.com.conf
Copy
To enable the new server block, create a symbolic link from the file to the sites-enabled directory:
Restart the Nginx service for the changes to take effect:
You can now run Certbot with the webroot plugin and obtain the SSL certificate files by issuing:
If the SSL certificate is successfully obtained, certbot will print the following message:
Now that you have the certificate files, you can edit your domain server block as follows:
/etc/nginx/sites-available/example.com.conf
Copy
With the configuration above we are forcing HTTPS and redirecting from www to non www version.
Reload the Nginx service for changes to take effect:
To verify that the SSL certificate is successfully installed, open your website using https://, and you’ll notice a green lock icon.
Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob and a systemd timer. The timer will automatically renew the certificates 30 days before its expiration.
When the certificate is renewed, the nginx service needs to be reloaded. Open the /etc/letsencrypt/cli.ini and add the following line:
/etc/cron.d/certbot
Copy
To test the renewal process, run the certbot --dry-run command:
If there are no errors, it means that the renewal process was successful.
We’ve shown you how to use the certbot to download Let’s Encrypt SSL certificates for your domain. We’ve also created Nginx snippets to avoid duplicating code and configured Nginx to use the certificates.
To learn more about how to use Certbot, visit their documentation .
If you have any questions or feedback, feel free to leave a comment.
If you test your domain using the SSL Labs Server Test , you’ll get an A+ grade, as shown in the image below:
