Install & Secure NGINX with Let’s Encrypt Certificates on Ubuntu 20.04
Install & Secure NGINX with Let’s Encrypt Certificates on Ubuntu 20.04. In this tutorial, we will introduce Let’s Encrypt SSL with its advantages, then move on to the installation phase on Ubuntu 20.04.
Nginx is a free, open source and one of the most popular web server to host websites, and applications on the internet. By default, Nginx server uses HTTP protocol to serve its content. For security reasons, it is recommended to use the HTTPS protocol to secure the data transmissions. Let’s Encrypt is a global CA that allows you to download, renew, and manage SSL/TLS certificates for your website.
What Is Let’s Encrypt SSL?
Earlier, encrypting website traffic was an expensive ordeal, especially for small businesses that required to deliver a secure platform and results to the visitors but failed to invest in HTTPS because of money. Let’s Encrypt made things much easier for businesses of all sizes. It’s launch helped to eliminate the complexity of installing and maintaining security certificates.
Let’s Encrypt is an automated certificate authority that provides free TLS/SSL certificates to compatible clients using ACME (Automatic Certificate Management Environment) protocol. ACME protocols ensure that all the communication processes of obtaining, renewing, and revoking certificates between certificate authorities and their users’ web servers are automated.
Brought up by the non profit Internet Security Research Group (ISRG) in 2016, Let’s Encrypt is a free and open certificate authority designed to prove a site’s authenticity and is just as secure as paid certificates. Also, it is quite easy to install and update.
Most times, out of date certificates can lead to page errors. However, this problem gets reduced to a great extent with the Let’s Encrypt automated process. These are generally valid for only 90 days and supports auto renewal options.
Hosted by the Linux Foundation, it allows domain owners to access trusted certificates free of cost for their sites. Additionally, you can configure the certificate and automatically manage its renewal with Let’s Encrypt. Mozilla Foundation, Akamai, Cisco, IdenTrust, the Electronic Frontier Foundation (EFF), and Automattic are some of the project sponsors.
Benefits of Let’s Encrypt SSL Certificates
Let’s Encrypt is a free certificate authority (CA) that provides digital certificates to website owners that want to enable HTTPS (SSL/TLS) for their websites. These SSL certificates automatically renew every 60 days and free users from manual work. Also, these are trusted in all major browsers.
Let’s look at some other advantages of Let’s Encrypt SSL Certificates:
Free and Easy to Install
You do not have to pay any amount for obtaining a trusted certificate for your domain with the Let’s Encrypt SSL Certificate. It is a free, open certificate authority that provides site authenticity at zero cost and is much easy to install and update.
Simple and Automatic
Another best part about the Let’s Encrypt SSL Certificate is all the communication processes involved in providing proof of control for a website are automated. It includes no payment and validation emails. Everything involved in the certificate’s enrollment process occurs smoothly. You do not have to worry much about the server’s native installation or configuration process. Also, it automatically renews the SSL Certificates.
Transparent and Open
There is nothing hidden from the users with Let’s Encrypt SSL Certificates. It provides all the issued or revoked certificates publicly available to users for inspection.
Offers Better Security
Let’s Encrypt is a highly secure reporting platform that incorporates modern security techniques and advanced TLS security best practices. It ensures that all the traffic is encrypted and secure just like the one by paid for CA signed cert. Also, operators can stay assured that their servers are safe and secure at all times.
Follow this post to show you how to install & secure Nginx with Let’s Encrypt on Ubuntu 20.04.
Install & Secure NGINX with Let's Encrypt Certificates on Ubuntu 20.04
Prerequisites
- A server running Ubuntu 20.04 with SSH access.
- A valid domain name pointed with your server IP.
- A root user or a user with sudo privileges.
Install Nginx Web Server
Before starting, the Nginx web server must be installed on your server. If not installed, you can install it by running the following command:
apt install nginx -y
Once the nginx is installed, start the Nginx service and enable it to start after the system reboot:
systemctl start nginx
systemctl status nginx
Now, open your web browser and verify the Nginx test page using the URL http://your-server-ip. You should see the Nginx test page in the following screen:
Create a Basic Website with Nginx
Before using Let’s Encrypt SSL, we need to create a basic website using the Nginx web server. First, create a website directory with the following command:
mkdir /var/www/html/nginx.linuxbuz.com
Next, change the ownership and permission of the website directory:
chown -R www-data:www-data /var/www/html/nginx.linuxbuz.com
chmod -R 775 /var/www/html/nginx.linuxbuz.com
Next, create an index.html page for the website:
nano /var/www/html/nginx.linuxbuz.com/index.html
Add the following HTML code:
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<p>Secure Nginx with Let's Encrypt SSL</p>
</head>
<body>
<h2>Congratulations! Your Nginx Website is Secured with Let's Encrypt SSL</h2>
<script>class RocketElementorAnimation{constructor(){this.deviceMode=document.createElement("span"),this.deviceMode.id="elementor-device-mode-wpr",this.deviceMode.setAttribute("class","elementor-screen-only"),document.body.appendChild(this.deviceMode)}_detectAnimations(){let t=getComputedStyle(this.deviceMode,":after").content.replace(/"/g,"");this.animationSettingKeys=this._listAnimationSettingsKeys(t),document.querySelectorAll(".elementor-invisible[data-settings]").forEach(t=>{const e=t.getBoundingClientRect();if(e.bottom>=0&&e.top<=window.innerHeight)try{this._animateElement(t)}catch(t){}})}_animateElement(t){const e=JSON.parse(t.dataset.settings),i=e._animation_delay||e.animation_delay||0,n=e[this.animationSettingKeys.find(t=>e[t])];if("none"===n)return void t.classList.remove("elementor-invisible");t.classList.remove(n),this.currentAnimation&&t.classList.remove(this.currentAnimation),this.currentAnimation=n;let s=setTimeout(()=>{t.classList.remove("elementor-invisible"),t.classList.add("animated",n),this._removeAnimationSettings(t,e)},i);window.addEventListener("rocket-startLoading",function(){clearTimeout(s)})}_listAnimationSettingsKeys(t="mobile"){const e=[""];switch(t){case"mobile":e.unshift("_mobile");case"tablet":e.unshift("_tablet");case"desktop":e.unshift("_desktop")}const i=[];return["animation","_animation"].forEach(t=>{e.forEach(e=>{i.push(t+e)})}),i}_removeAnimationSettings(t,e){this._listAnimationSettingsKeys().forEach(t=>delete e[t]),t.dataset.settings=JSON.stringify(e)}static run(){const t=new RocketElementorAnimation;requestAnimationFrame(t._detectAnimations.bind(t))}}document.addEventListener("DOMContentLoaded",RocketElementorAnimation.run);</script></body>
</html>
Save and close the file when you are finished.
Create an Nginx Virtual Host
Next, you will need to create an Nginx virtual host configuration file to define your website domain and index.html file. You can create it with the following command:
nano /etc/nginx/conf.d/nginx.linuxbuz.com.conf
Add the following configuration:
server {
listen 80;
server_name nginx.linuxbuz.com;
root /var/www/html/nginx.linuxbuz.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Save and close the file then restart the nginx service using the following command:
systemctl restart nginx
Now, open your web browser and test it using the URL http://nginx.linuxbuz.com. You should see your index.html page on the following screen.
Download and Install Let's Encrypt SSL
At this point, your website was created and hosted with an Nginx web server. However, it is not secured yet. You will need to install the Certbot package to install and manage the Let’s Encrypt SSL.
Run the following command to install the Certbot package:
apt install certbot python3-certbot-nginx -y
Once the Certbot package is installed, run the following command to download and install the Let’s Encrypt SSL on your website:
certbot --nginx
You will be asked to provide your valid email address and accept the term of service:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hitjethva@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Next, you will be asked to select the domain on which you want to install the Let’s Encrypt SSL:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: nginx.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Select your domain and press the Enter key. You will be asked to choose whether or not to redirect HTTP traffic to HTTPS:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nginx.linuxbuz.com
Enabled nginx rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/nginx/conf.d/nginx.linuxbuz.com-le-ssl.conf
Enabled nginx socache_shmcb module
Enabled nginx ssl module
Deploying Certificate to VirtualHost /etc/ngin/conf.d/nginx.linuxbuz.com-le-ssl.conf
Enabling available site: /etc/nginx/conf.d/nginx.linuxbuz.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Choose 2 to enable the redirection and press the Enter key. Once the Let’s Encrypt SSL is installed and configured, you should see the following output:
Enabled nginx rewrite module
Redirecting vhost in /etc/nginx/conf.d/nginx.linuxbuz.com.conf to ssl vhost in /etc/nginx/conf.d/nginx.linuxbuz.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://nginx.linuxbuz.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=nginx.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nginx.linuxbuz.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nginx.linuxbuz.com/privkey.pem
Your cert will expire on 2022-09-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
Verify Let's Encrypt SSL
Your Let’s Encrypt certificate is now installed and loaded into Nginx’s configuration. Now, it’s time to test whether the Let’s Encrypt SSL is installed.
You can now test it using the HTTPS protocol https://nginx.linuxbuz.com. You should see your website page including a lock icon in the address bar.
You can also use the SSL Labs Server Test to verify your certificate’s grade and obtain detailed information about it.
Verifying Certbot Auto Renewal
By default, Let’s Encrypt’s certificates are valid only for 90 days. So it is recommended to set Let’s Encrypt Certificate auto renewal. The certbot package provides a systemd timer that run twice a day and automatically renew any certificate before thirty days of expiration.
You can verify whether the Certbot auto renewal is working or not by running the following command:
certbot renew --dry-run
If everything is fine, you will get the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nginx.linuxbuz.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for nginx.linuxbuz.com and www.nginx.linuxbuz.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/nginx.linuxbuz.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Great effort! We have learned how to Install & Secure NGINX with Let’s Encrypt Certificates on Ubuntu 20.04. Let’s summarize.
Install & Secure NGINX with Let's Encrypt Certificates on Ubuntu 20.04 Conclusion
In this post we gave you a brief overview of Let’s Encrypt SSL and showed you the Let’s Encrypt installation steps with the Nginx web server on Ubuntu 20.04. Let’s Encrypt is a free certificate provider and its aim is to create a more secure Web by promoting the widespread adoption of HTTPS. Let’s Encrypt certificates are trusted and you can use them on any website which uses a fully qualified domain name.
