Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Secure Nginx with Let’s Encrypt on Ubuntu 18.04

Table Of Contents

    ## Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Secure Nginx with Lets Encrypt](#secure-nginx-with-let-s-encrypt
    – [Install Certbot](#install-certbot
    – [Setup Nginx](#setup-nginx
    – [Allow HTTPS Through the Firewall](#allow-https-through-the-firewall
    – [Obtain an SSL Certificate](#obtain-an-ssl-certificate
    – [Verify Certbot Auto-Renewal](#verify-certbot-auto-renewal
    – [Conclusion](#conclusion

    ## Introduction

    In this guide, we will explain to you how to obtain SSL certificate using [Certbot](, how to secure Nginx with Let’s Encrypt on Ubuntu 18.04 and how to renewal SSL certificate automatically.

    [Let’s Encrypt]( is an automated certificate authority (CA, provided by the [Internet Security Research Group]( (ISRG, that provides an easy way to obtain and install free SSL/TLS certificates. Thus, it provides an easy way to encrypt HTTPS on web servers for free in the most user-friendly way possible. It makes the process easy by providing a client, Certbot, that automates most of the necessary steps. The entire process is fully automated on [Nginx web server](

    ## Prerequisites

    You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](

    Nginx must be installed on Ubuntu 18.04. Do it by following our guide, [How to Install Nginx on Ubuntu 18.04](

    You must own or have access to a registered domain that you wish to use SSL/TLS certificate with. In this tutorial, we use to explain you the process. You must have created a record that points your domain to the public IP address of your server. This is because to make Let’s Encrypt validate that you are the owner of the domain it is issuing an SSL/TLS certificate for.

    ## Secure Nginx with Let’s Encrypt

    ## Install Certbot

    The first step in obtaining an SSL/TLS certificate using Let’s Encrypt is installing Certbot software on your server. Install the updated version of Certbot using Ubuntu software repository that has been developed and maintained by Certbot developers.

    Add the repository using the following command.

    $ sudo add-apt-repository ppa:certbot/certbot


    Press ENTER to accept.

    To know the new repository’s package information, update the package list using the following command.

    $ sudo apt-get update

    Now, enable universe repository using the following command.

    $ sudo add-apt-repository universe
    Then, install Certbot using apt-get command.

    $ sudo apt-get install python-certbot-nginx

    Now, the software client, Certbot, is ready to use.

    ## Setup Nginx

    To automatically configure SSL for Nginx, Certbot needs to find the correct server block in your configuration. It does the process by looking for a server_name directive that matches with your domain you are requesting an SSL certificate for.

    Update the configuration file using the following command.

    $ sudo nano /etc/nginx/sites-available/default

    Find the server_name line in the file, /etc/nginx/sites-available/default.

    server_name localhost;
    Place your domain name in the place of localhost.


    Then, save the file.

    Check the syntax of your configuration edits with the following command.

    $ sudo nginx -t

    If you get no errors, reload Nginx for the new configuration

    $ sudo service nginx reload

    Now, the Certbot can find the correct server block. Update it.

    ## Allow HTTPS Through the Firewall

    Chances are you have the ufw firewall enabled, recommended by the prerequisites guides. If you have done that, you will have to adjust the settings to allow for HTTPS traffic. To make this process simpler, Nginx registers a few profiles with ufw upon installation.

    You can see the current setting by the following command.

    $ sudo ufw status

    You will probably see output like below.



    If your ufw status is inactive, use the following command to activate it.

    $ sudo ufw enable
    Now, to let in HTTPS traffic, allow Nginx full profile and delete unnecessary Nginx HTTP profile allowance.

    $ sudo ufw allow ‘Nginx Full’
    $ sudo ufw delete allow ‘Nginx HTTP’

    Now your status looks like this.

    $ sudo ufw status


    That’s it. You have successfully allowed HTTPS through the firewall.

    ## Obtain an SSL Certificate

    Certbot provides many plugins to obtain SSL certificates. The Nginx plugin takes care of re-configuring Nginx and reloading the config whenever it is necessary.

    $ sudo certbot –nginx -d -d

    The above command runs the Certbot with the Nginx plugin using -d to specify the domain name that you are requesting the certificate for.

    If this is the first that you are running Certbot, you will be asked to enter your email address and agree to the terms and conditions of the service.

    After this, Certbot communicates with the Let’s Encrypt and runs a challenge to verify if you own or have control over the domain that you are requesting an SSL certificate for.

    If this is successful, Certbot will ask you to configure your HTTPS settings.



    Choose one option, then hit ENTER. The configuration will be updated. Nginx will be reloaded and pick the new settings.

    Now, Certbot will show you a message telling you that the process was successful and the path where the certificates are stored.



    Now, your SSL certificates are downloaded, installed, and configured.

    Load your website using and check your browser’s security indicator. It must represent with a green lock icon telling that this website is properly secured.

    ## Verify Certbot Auto-Renewal

    These SSL certificates issued by Let’s Encrypt are valid only for 90 days. The certbot runs certbot renew via a systemd timer twice a day to take care of the auto-renewal process. On non-systemd distributions, the process is provided by a script that is placed in /etc/cron.d. This task renews any certificate that is within 30 days of the expiration date.

    Use the following command to test the renewal process.

    $ sudo certbot renew –dry-run

    You are all set if you see no errors.

    If the auto-renewal process fails, Let’s Encrypt will send you the email, you have specified, when your certificate is about to expire.

    ## Conclusion

    You have successfully obtained SSL certificate using Certbot, secured Nginx with Let’s Encrypt on Ubuntu 18.04 and renewed SSL certificate automatically.