How to Secure Nginx using Let’s Encrypt SSL on ubuntu
In any website that runs with Nginx as a web server, it is recommended to use SSL/TLS encryption for that website’s domain to secure the connection between the web server and the browser. Let’s Encrypt is an official certificate authority that allows you to get an SSL/TLS certificate for free and use the encrypted HTTPS protocol on your website to provide security. SSL certificate stands for Secure Sockets Layer, an encryption-based internet security protocol developed to ensure privacy, authentication, and data integrity in internet communications.
Fortunately, certbot software helps you get an SSL certificate for Ubuntu by providing free services and facilitates the process of securing Nginx using Let’s Encrypt [SSL] by automating the process of installing the certificate for Nginx on Ubuntu. So in this tutorial, we will use certbot software to get an SSL certificate for Nginx.
Fortunately, certbot software helps you get an SSL certificate for Ubuntu by providing free services and facilitates the process of securing Nginx using Let’s Encrypt [SSL] by automating the process of installing the certificate for Nginx on Ubuntu. So in this tutorial, we will use certbot software to get an SSL certificate for Nginx.
As we previously taught how to secure Nginx on Debian, in this article we decide to teach you how to secure Nginx on Ubuntu.If you intend to secure Nginx on Ubuntu using Let’s Encrypt [SSL], by reading this article you will be able to get an SSL certificate for Nginx on Ubuntu 22.04 using certbot software in 15 minutes, and even Also learn how to set up SSL certificate auto-renewal. So stay with us until the end of this article.
prerequisite
- Ubuntu system or Ubuntu Linux VPS (Ubuntu 22.04)
- A user account with Sudo/Root privileges
- Installing Nginx on Ubuntu
- Domain name registration
- Set up and create a server block for your domain name (for example, /etc/nginx/sites-available/your domainname.com)
- Consider a domain record that points to your server’s public IP (www. your domainname.com and your domainname.com).
Our recommendation in securing Nginx in Ubuntu is to create a new and separate configuration file for the Nginx web server and Nginx server block file for each domain so that you can use the default files for fallback configuration.
1. Installing Certbot
As we explained at the beginning of the article, in order to be able to use the HHTPS protocol on your site and get a Let’s Encrypt [SSL] certificate for free for Nginx, you need to install the Certbot software to automate this process. Since Certbot can be installed through its snap package, you must first download and install snapd to manage the certbot software snap package.
So first, update the list of Ubuntu packages with the following command:
sudo apt update -y && sudo apt upgrade -y
Then install the latest version of Snapd kernel by running the following command:
sudo snap install core; sudo snap refresh core
Fortunately, Ubuntu 22.04 supports snaps out of the box, so you can easily install the latest version of Snapd kernel on Ubuntu 22.04 by executing a command. Note that our preference is to use the updated certbot kernel, so if you have an older version of the Certbot kernel already installed on your Ubuntu system, run the following command to remove it:
sudo apt remove certbot
Now you can install certbot on Ubuntu:
sudo snap install --classic certbot
To run the Certbot software by typing certbot, you need to link the certbot command from the snap install directory to your path:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
2. Checking Nginx’s Configuration
A prerequisite for securing Nginx using Let’s Encrypt [SSL] is registering the domain and configuring the Nginx server block for that domain. In this tutorial we will consider your domainname.com.To configure SSL automatically, Certbot must search for the server block in the Nginx configuration; For this purpose, Certbot searches for the server_name so that it can find the correct server block by matching the domain name for which you intend to receive a certificate and the corresponding server block.
Assuming the server block configuration is correct, To confirm its correct configuration, access the content of your domain configuration file using your favorite editor (preferably nano):
sudo nano /etc/nginx/sites-available/yourdomainname.com
By accessing the contents of your domain configuration file, find the line containing the server_name command and make sure to set it to your domain name. for example:
Output:
/etc/nginx/sites-available/ your domainname.com
...
server_name yourdomainname.com www. yourdomainname.com;
...
If the server_name directive is not set to your domain name, you can set your domain name with or without www for server_name. Then save the file and exit.
To confirm the changes you made to your configuration, use the following syntax:
sudo nginx -t
After making sure that you have edited your configuration file correctly, reload the Nginx service by running the following command to apply your new configuration:
sudo systemctl reload nginx
Certbot should now be able to easily find the appropriate server block.
3. Configuring the firewall to allow HTTPS traffic
If the ufw firewall is enabled on the Ubuntu server, one of your steps to get an SSL certificate is to configure the firewall to allow HTTPS traffic. By default, Nginx allows factors in the ufw firewall with its installation. To check the profiles registered by Ngnix and the firewall settings, enter the following command:
sudo ufw status
Output:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Most likely, your output will show that Nginx HTTP traffic is allowed, but Nginx HTTPS encrypted traffic is not allowed. So there are two modes:
- We should configure the firewall to allow HTTPS traffic:
sudo ufw allow 'Nginx HTTPS'
- The second method is to allow the Nginx HTTP profile and delete the Nginx HTTP profile:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
To ensure that HTTPS traffic is allowed in the ufw firewall, you can run the ufw status command again:
sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
4. Obtaining SSL/TLS certificate
By using the Nginx plugin, you can get SSL/TLS certificate, which will reconfigure Nginx for Nginx certbot if needed. To use the Nginx plugin to get an SSL certificate, enter the following command:
sudo certbot --nginx -d yourdomainname.com -d www. yourdomainname.com
By executing the previous command, you need to enter information such as your email address to configure HTTPS settings and also accept the terms of service.
After agreeing to the terms of service, you will receive a message that displays the success of the process of obtaining the certificate and the location where the certificate is stored:
Output:
IMPORTANT NOTES:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2023-05-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
As a result, your SSL certificate will be automatically downloaded and installed, Nginx will be loaded with the new configuration and HTTPS traffic will be configured. To make sure your site is secure, reload your website and if you see a lock icon next to your domain name and site address in the URL, make sure your site is secured with an SSL certificate, which gives your website credibility.
5. Enabling automatic certificate renewal
Unfortunately, the certificate you receive from Let’s Encrypt is temporarily valid and expires after 90 days, so you have to renew it after 90 days. Since it is difficult to renew the certificate manually every time, so automating the renewal of the certificate can be the solution to this problem.
Fortunately, by adding systemd timer to the Certbot package you installed, you can automatically renew the certificate.
Enter the following command to check the status of the timer:
sudo systemctl status snap.certbot.renew.service
Output:
○ snap.certbot.renew.service - Service for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer
After setting the automatic renewal of the certificate, you can make sure of the automatic renewal configuration by running the following command:
sudo certbot renew --dry-run
Receiving an error after executing the previous command indicates a problem in the automatic certificate renewal settings, otherwise, there is no need to worry and Certbot performs its task of renewing certificates correctly.
If you do not automate the renewal of certificates, before the certificates expire, Let’s Encrypt will remind you of the certificate’s expiration by sending an email to the email address you specified during configuration.
FAQ
What is Certbot?
Certbot is a kind of software to get an SSL certificate. This tool also works with any CA or Certificate Authority that supports the ACME protocol.
Is SSL encryption vulnerable to security risks?
The security of the site is not 100% guaranteed by receiving a certificate, but you must implement other security measures on your site as a supplement. Technically, SSL can be hacked, but it is complicated. As a result, the possibility of SSL hacking will be a rare event.
Conclusion
Getting an SSL/TLS certificate is very important to secure your website traffic and give your website credibility. In this article, we taught how to get an SSL/TLS certificate from Let’s Encrypt to secure Nginx on Ubuntu using certbot open-source software, Let’s Encrypt provides free SSL/TLS certificates.
This process started with certbot installation and then completed with Nginx configuration, firewall configuration, and finished with receiving the SSL certificate. In this tutorial, you also learned how to configure the automatic renewal of certificates, and now you have granted credit to your website, and you are also sure of the encrypted traffic of your website by the HTTPS protocol.
If you need more guidance in any part of the article, let us know in the comments section so that we can guide you as soon as possible.
Thank you for your choice.