Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Secure Nginx with Let’s Encrypt on Debian 9

Table Of Contents

    ## Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Secure Nginx with Let’s Encrypt on Debian 9](#secure-nginx-with-let-s-encrypt-on-debian-9
    – [Install Certbot](#install-certbot
    – [Setup Nginx](#setup-nginx
    – [Allow HTTPS Through The Firewall](#allow-https-through-the-firewall
    – [Obtain an SSL Certificate](#obtain-an-ssl-certificate
    – [Verify Certbot Auto-Renewal](#verify-certbot-auto-renewal
    – [Conclusion](#conclusion

    ## Introduction

    In this guide, we will explain to you how to obtain SSL certificate using Certbot, how to secure Nginx with Let’s Encrypt on Debian 9 and how to renewal SSL certificate automatically.

    [Let’s Encrypt]( is an automated certificate authority (CA, provided by the [Internet Security Research Group (ISRG](, that provides an easy way to obtain and install free SSL/TLS certificates. Thus, it provides an easy way to encrypt HTTPS on web servers for free in the most user-friendly way possible. It makes the process easy by providing a client, [Certbot]( that automates most of the necessary steps. The entire process is fully automated on the Nginx web server.

    ## Prerequisites

    You should have access to a Debian 9 server and created a non-root user account with the sudo privileges. You can do this by following our guide, [Initial server setup with Debian 9](

    You should have installed Nginx on Debian 9. You can do this by following our guide, How to Install Nginx on Debian 9.

    You must own or have access to a registered domain that you wish to use SSL/TLS certificate with. In this guide, we use to explain you the process.

    You must have created a record that points your domain to the public IP address of your server. This is because to make Let’s Encrypt validate that you are the owner of the domain it is issuing an SSL/TLS certificate for.

    ## Secure Nginx with Let’s Encrypt on Debian 9

    ## Install Certbot

    The first step in obtaining an SSL/TLS certificate using Let’s Encrypt is installing Certbot software on your server. Install the updated version of Certbot by enabling the Debian 9 backports repository in the /etc/apt/sources.list.

    Open the /etc/apt/sources.list in your text editor to add the backports repository.

    $ sudo vi /etc/apt/sources.list

    Check for the following lines at the bottom of the file.


    deb stretch-backports main contrib non-free
    deb-src stretch-backports main contrib non-free

    If you have the above two lines within the file, uncomment them by removing “#” before them. If you don’t have, add them at the bottom of the file.

    Then, save and close the file.

    To know the new repository’s package information, update the package list using the following command.

    $ sudo apt update

    Then, install Certbot using the apt command. Enter “Y” when you are asked if you want to continue the installation.

    $ sudo apt install python-certbot-nginx -t stretch-backports

    Now, the software client, Certbot is ready to use.

    ## Setup Nginx

    To automatically configure SSL for Nginx, Certbot needs to find the correct server block in your configuration. It does the process by looking for a server_name directive that matches with your domain you are requesting an SSL certificate for.

    To update, open the configuration file in your text editor.

    $ sudo vi /etc/nginx/sites-available/default

    Find the server_name line in the file, /etc/nginx/sites-available/default.

    server_name localhost;

    Place your domain name in the place of localhost.


    Then, save the file.

    Check the syntax of your configuration edits with the following command.

    $ sudo nginx -t



    If you get no errors, reload Nginx for the new configuration

    $ sudo service nginx reload

    Now, the Certbot can find the correct server block. Update it.

    ## Allow HTTPS Through The Firewall

    Chances are you have enabled the [ufw firewall]( recommended in the prerequisites guides. If you have done that, you will have to adjust the settings to allow for HTTPS traffic.

    You can see the current ufw setting by using the following command.

    $ sudo ufw status

    You will get an output something like the below.



    If your ufw status is inactive, use the following command to activate it.

    $ sudo ufw enable

    Now, to let in HTTPS traffic, allow the Nginx full profile and delete the unnecessary Nginx HTTP profile allowance.

    $ sudo ufw allow ‘Nginx Full’
    $ sudo ufw delete allow ‘Nginx HTTP’

    Now, check the status of the ufw.

    $ sudo ufw status



    That’s it. You have successfully allowed the Nginx Full (HTTPS traffic and deleted the Nginx HTTP through the firewall.

    ## Obtain an SSL Certificate

    Certbot provides many plugins to obtain SSL certificates. The Nginx plugin takes care of re-configuring Nginx and reloading the configuration whenever it is necessary.

    $ sudo certbot –nginx -d -d

    The above command runs the Certbot with the Nginx plugin using -d to specify the domain name that you are requesting the certificate for.

    If this is the first that you are running Certbot, you will be asked to enter your email address and agree to the terms and conditions of the service. Enter “A” to agree and then hit the ENTER button.


    Then, you will be asked if you are willing to share your email address with the Electronic Frontier Foundation that develops Certbot. Enter “Y” to agree and then hit the ENTER button.


    Then, Certbot communicates with the Let’s Encrypt and runs a challenge to verify if you own or have control over the domain that you are requesting an SSL certificate for.

    If this is successful, Certbot will ask you to configure your HTTPS settings. Choose one option, then hit ENTER. The configuration will be updated. Nginx will be reloaded and pick the new settings.



    Then, Certbot will show you a message telling you that the process was successful and the path where the certificates are stored.



    ## Verify Certbot Auto-Renewal

    The SSL certificates issued by Let’s Encrypt are valid only for 90 days. The certbot runs certbot renew via a systemd timer twice a day to take care of the auto-renewal process. On non-systemd distributions, the process is provided by a script that is placed in /etc/cron.d. This task renews any certificate that is within 30 days of the expiration date.

    Use the following command to test the renewal process.

    $ sudo certbot renew –dry-run

    You are all set if you see no errors.

    If the auto-renewal process fails, Let’s Encrypt will send you the email, you have specified, when your certificate is about to expire.

    ## Conclusion

    You have successfully obtained an SSL certificate using Certbot, secured Nginx with Let’s Encrypt on Debian 9 and renewed SSL certificate automatically.