How to Setup Nginx with Let's Encrypt on Ubuntu 20.04
Abstract: Requesting a certificate for domain1.com and www.domain1.comcertbot will guide you through the rest of the process. Certbot also updates your NGINX co
To enable secure communication (i.e. HTTPS) on your NGINX web server, you need to obtain an SSL/TLS certificate from a trusted certificate authority. Let's Encrypt is a not-for-profit certificate authority that offers free SSL/TLS certificates.
This tutorial describes how to setup a free SSL/TLS certificate issued by Let's Encrypt on Ubuntu 20.04 LTS Server running Nginx.
Prerequisites:- Ubuntu 20.04 Server Installed with Nginx and Hosted Website
Certbot is an open-source tool that simplifies and automates the process of obtaining and renewing certificates from Let's Encrypt. We are going to install Certbot by using the Snap deployment system. Snap is pre-installed on Ubuntu 20.04.
Update snapdRun the following commands to update snapd.
$ sudo snap install core
$ sudo snap refresh core
Install certbot snap
Next, we are ready to install the Certbot snap.
Note: If you have previously installed Certbot by using the standard apt command, then run the following command first to remove it. This will ensure that the Certbot snap works correctly.
$ sudo apt-get remove certbot
$ sudo snap install --classic certbot
certbot 1.11.0 from Certbot Project (certbot-eff✓) installed
Enable certbot command
After successfully installing the Certbot snap, run the next command to enable certbot for use.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Obtain your Certificate
When you run the command below, certbot will guide you through the rest of the process. Certbot also updates your NGINX configuration automatically to activate HTTPS.
$ sudo certbot --nginx
Below is a summary of what certbot will prompt you to do during this process.
- Provide an email address where renewal and security notices will be sent to
- Enter y to accept the terms of service
- Enter y or n to accept or decline to share your email address with the developers of Certbot
- Confirm the domain name(s) for which you would like to enable HTTPS
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Account registered. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain1.com 2: www.domain1.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Requesting a certificate for domain1.com and www.domain1.com Performing the following challenges: http-01 challenge for domain1.com http-01 challenge for www.domain1.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/domain1 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/domain1 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/domain1 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/domain1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://domain1.com and https://www.domain1.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain1.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain1.com/privkey.pem Your certificate will expire on 2021-04-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Cerbot will add the following entries (sentences showing managed by Certbot) in the nginx block file.
/etc/nginx/sites-enabled/domain1$ cat /etc/nginx/sites-enabled/domain1
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server {
server_name domain1.com www.domain1.com;
root /var/www/domain1.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.domain1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = domain1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name domain1.com www.domain1.com;
return 404; # managed by Certbot
}
$
Browse your website to confirm that the lock icon is now displayed.
Certificate Renewal ProcessCertificates issued by Let's Encrypt are valid for 90 days. During installation, certbot creates a scheduled task to automatically renew your certificates before they expire. As long as you do not change your web server configuration, you would not have to run certbot again.
Run the following command to test the automatic renewal process.
$ sudo certbot renew --dry-run
Conclusion
In this guide, we learned how to setup let's encrypt SSL certificate on NGINX web server running on Ubuntu 20.04.
Instead of Cerbot, you can also use ACME Shell script to automatically issue & renew the free certificates from Let's Encrypt.
If anything is unclear, do let us know in the comments section below.