Configuring Let’s Encrypt SSL Cert for Nginx on Ubuntu 18.04
Prerequisites
You should be using a non-root user with sudo privileges.
You should also have Nginx already installed and serving web pages before continuing with this guide. Please see Installing Nginx on Ubuntu 18.04.
1. Install Let’s Encrypt client (Certbot)
UPDATE FEB 2019: This article has been updated to reflect Let’s Encrypt’s end of TLS-SNI-01 support.
Let’s begin by updating the package lists and installing software-properties-common. Commands separated by &&
will run in succession.
Now add the repositories universe
and certbot
.
Press ENTER
if prompted.
Update the package lists again and install certbot
for Nginx. This is the Let’s Encrypt client.
Press y
and ENTER
when prompted to continue.
2. Configure the Firewall
If you haven’t already done so, it is recommended that you enable the ufw
firewall and add a rule for Nginx. Before enabling ufw
firewall, make sure you add a rule for SSH, otherwise you may get locked out of your server if you are logged in remotely.
Now add the “Nginx Full” profile and then delete the redundant “Nginx HTTP” profile if it exists.
You can check the current firewall rules with:
We should now see our SSH and Nginx rules:
3. Get an SSL Certificate
We will now obtain a cert for our test domain example.com. Certbot has an Nginx plugin, which automates the certificate installation.
Enter an email address where you can be contacted in case of urgent renewal and security notices.
Press a
and ENTER
to agree to the Terms of Service.
Press n
and ENTER
to not share your email address with EFF.
If you have multiple domains already configured on your server, you will see a list of them here. In this example, we only have one domain example.com and its www. prefix.
Select option 1
if you don’t want to use the www. prefix in your website address, otherwise select option 2
.
Press 2
and ENTER
to redirect all traffic to HTTPS.
You’re done!
4. Test SSL
You can now go to ssllabs.com/ssltest/ and run an SSL test on your domain.
A successful test should receive an A rating.
5. Auto Renewal
As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.
To test that this renewal process is working correctly, you can run:
Last updated