SSL/TLS certificates secure web traffic by enabling encrypted communication between servers and clients. Let's Encrypt is a free certificate authority (CA) that simplifies obtaining such certificates for Nginx.
In this article, learn how to secure a Nginx server on Ubuntu using Let's Encrypt.
Prerequisites
- Ubuntu installed (this guide uses Ubuntu 24.04).
- Command-line access.
- Administrative privileges on the system.
- A registered domain name.
- Nginx installed and set up for the domain.
How to Secure Nginx with Let's Encrypt
Using Let's Encrypt with Nginx provides a straightforward method to enable HTTPS and enhance website security. Follow the steps below to install a Let's Encrypt certificate on an Nginx web server.
Step 1: Install Certbot
Certbot is an open-source software tool that automatically enables HTTPS using Let's Encrypt certificates. To install Certbot:
1. Update the local package list:
sudo apt update2. Download and install the required packages (Certbot and its Nginx plugin) by running:
sudo apt install certbot python3-certbot-nginxType y and press Enter to start the installation.
Step 2: Check Nginx Configuration
When deploying Nginx on a web server, the user creates a configuration file to define one or more server blocks. Proceed with the steps below to check whether the server block has been set up correctly:
1. Open the Nginx configuration file for the relevant domain:
sudo nano /etc/nginx/sites-available/[configuration_file]As an example, this article uses the example.com domain:
sudo nano /etc/nginx/sites-available/example.comNote: If you have not set up the server block yet, refer to this guide on how to set up an Nginx server block.
2. Locate the server_name directive and ensure it is set to the correct domain name:
server_name [domain_name] www.[domain_name];Include the domain name with and without the www prefix.
If you made changes to the Nginx configuration file, save the changes and use check the configuration syntax:
sudo nginx -tRestart the Nginx service to apply the changes:
sudo systemctl reload nginxStep 3: Adjust Firewall to Allow HTTPS Traffic
When adding Let's Encrypt certificates, the firewall must be configured for encrypted traffic. To ensure your firewall is active and allows HTTPS traffic:
1. Check the firewall status:
sudo ufw statusThe output confirms that UFW is active and prints a list of set rules. In the example below, the output shows that the firewall allows Nginx HTTP traffic but not HTTPS.
Nginx has three profiles that can be added as rules:
- Nginx HTTP (opens port 80).
- Nginx HTTPS (opens port 443 โ encrypted traffic).
- Nginx Full (opens ports 80 and 443).
2. To allow encrypted traffic, add the Nginx HTTPS profile:
sudo ufw allow 'Nginx HTTPS'
Alternatively, remove Nginx HTTP and use Nginx Full instead:
sudo ufw deny 'Nginx HTTP' && sudo ufw allow 'Nginx Full'3. Verify that the rule allowing HTTPS traffic is active:
sudo ufw status
Step 4: Obtain the SSL/TLS Certificate
Nginx's plugin for Certbot reconfigures Nginx and reloads its configuration when necessary. The steps below explain how to generate certificates using Certbot and the Nginx plugin:
1. Run the certbot command with the --nginx flag:
sudo certbot --nginx -d example.com -d www.example.com2. Enter your email address and follow the rest of the wizard.
Certbot completes certificate generation and reloads Nginx with the new settings.
Step 5: Enable Automatic Certificate Renewal
Let's Encrypt certificates last 90 days, after which they expire and must be renewed. To automate this process, follow the steps to set up a cron job for automatic renewal:
1. Open the crontab configuration file for the current user:
crontab -e2. Add a cron job that runs the certbot command, which renews the certificate if it is set to expire within 30 days. Schedule it to run daily at a specified time (the example sets the time to 5:00 a.m.):
0 5 * * * /usr/bin/certbot renew --quietThe cron job should also include the --quiet attribute, which instructs Certbot not to include any output after performing the task.
3. Save the changes and exit the file.
Conclusion
After following this tutorial, you can secure a Nginx deployment on Ubuntu using Let's Encrypt. The article also showed how to renew SSL/TLS certificates automatically.
Next, learn how to set up and use Nginx as a reverse proxy.
