Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Secure Nginx with Let’s Encrypt on Ubuntu 16.04

Table Of Contents

    ## Table of Contents

    – [Introduction](#introduction
    – [Requirements](#requirements
    – [Installation of Certbot](#installation-of-certbot
    – [Installation of Certbot Nginx Package](#installation-of-certbot-nginx-package
    – [Setting Up Nginx](#setting-up-nginx
    – [Updating Firewall to Allow HTTPS Traffic](#updating-firewall-to-allow-https-traffic
    – [Generating SSL Certificate](#generating-ssl-certificate
    – [Verifying Certificates Auto Renewal](#verifying-certificates-auto-renewal

    ## Introduction
    [Let’s Encrypt]( is a free Certificate of Authority (CA from the [Internet Security Research Group]( (ISRG. It ships two types of certificates, the standard single domain Secure Sockets Layer (SSL or Transport Layer Security Protocol (TLS and the wild card SSL. These two cover not only a single domain but any subdomains as well. The two certificates last for 90 days and are renewable. The two certificates are validated on the domain and do not need a dedicated IP address.

    The CA also simplifies the process of acquiring Certbot that is responsible for the automation of the entire process. The two-certification processes can run automatically on Apache and Nginx.

    This article will guide you through the process of obtaining, installing, and renewing a CA certificate for Nginx or Ubuntu 16.04 using Certbot. The default Nginx configuration file is the choice the article will use to avoid some of the common mistakes and still maintain the default file as a fall back system. The other option is to use a server block, which is beyond the current scope.

    ## Requirements
    A fully set up Ubuntu server with a sudo non-root user and a firewall. A fully registered domain name. We are going to use You can buy a domain or use a domain registrar of your choice. A set DNS record set up for the server. In this tutorial, we will use one record for directed to your server’s public address and another record for the pointing the server’s public address.

    ## Installation of Certbot

    The initial step is to make sure you have an SSL certificate ready for installation of the Certbot on the server. Please note that Certbot is still in development, in this example we will use Ubuntu software repository that contains all the updated files.

    Adding the Repository
    $ sudo add-apt-repository ppa:certbot/certbot

    Press ENTER to accept all changes.

    ## Run System Update
    $ sudo apt-get update

    ## Installation of Certbot Nginx Package

    To install the certbot Nginx package, run the command below

    $ sudo apt-get install python-certbot-nginx



    Up to this stage, Certbot is ready to use but needs to be explicitly configured for Nginx by editing the SSL file.

    ## Setting Up Nginx

    Certbot can configure SSL for Nginx automatically but what needs to be done is to direct it to the correct server block. The Certbot looks for a server_name directive that matches what your domain certificate request.

    For a fresh Nginx installation, update the default config file by editing using your favorite Linux text editor.
    $ sudo nano /etc/nginx/sites-available/default
    Locate the server_name line and define your server name as shown

    Save file and exit

    ## Verify the Configuration Edits
    $ sudo nginx -t


    If you followed the above steps keenly, expect no errors. In case of errors, re-open the file and check the typos.

    ## Reload Nginx to the New Configurations
    $ sudo systemctl reload nginx
    Certbot should be able to find the correct server block and make an update.

    ## Updating Firewall to Allow HTTPS Traffic

    If your installation already has ufw enabled, change the settings to allow HTTPS traffic. Nginx registers new profiles with every ufw firewall installation.

    Confirm the status of your ufw

    $ sudo ufw status

    To allow the HTTPS, you need to allow the Nginx full profile and delete the redundant Nginx HTTP allowed profile.

    $ sudo ufw allow ‘Nginx Full’

    $ sudo ufw delete allow ‘Nginx HTTP’

    The status should now change to:

    $ sudo ufw status
    The new output should be:


    Now we are all set to run our Certbot fetch certificates.

    ## Generating SSL certificate

    There are several varieties of ways use in securing SSL certificates using various plugins. The Nginx plugin will reconfigure and reload the config file as necessary.

    $ sudo certbot –nginx -d -d
    The above command runs the Certbot using the –nginx plugin, and the -d option to specify the name the certificate should pick.

    If you are running Certbot for the first time, you will be prompted to enter an Email address. A communication will then be initiated with the lets Encrypt server and try to verify that you control the domain you are asking for a certificate.

    If the confirmation is approved, Certbot will let you configure your HTTPS settings.


    Agree to the terms of service.


    You will finally get a message confirming the successful process and the location of installed certificates.


    ## Verifying Certificates Auto-renewal

    All certificates are valid for ninety days. This means we need to automate the certificate renewal process. Running the Certbot renew one of the installed packages should be configured to run twice a day via a systemd timer. If you are using a system with no systemd, you can use a functionality found in the script located in /etc/cron.d. The tasks will run two times a day to renew certificates that have less than thirty days before expiration.

    To test the renewal process, do a dry run with Certbot as shown.

    $ sudo certbot renew –dry-run
    No errors mean everything is set up correctly, and as needed the auto-renewal of certificates and reloading, Nginx to work with the new changes will take place. All messages about CA expiration will be sent to the Email address specified during configuration.

    ## Wrapping Up

    Finally, we were able to install the Lets Encrypt client Certbot, downloaded the certificates for our domain, ensure that the Nginx server uses the downloaded certificates, and ultimately set up an auto-renewal of the certificates.

    Please share your experience and let us know how it went down using the server blocks to configure Lets Encrypt on Nginx.