01 March, 2023 by

Secure Nginx using Let’s Encrypt SSL on Ubuntu

Secure Nginx using Let’s Encrypt means installing a free SSL certificate to enable HTTPS on your website. This is done by using Certbot to request the certificate and configure Nginx, ensuring encrypted and secure data transfer for visitors.

🤖AI Overview:

Secure Nginx using Let’s Encrypt involves obtaining a free SSL/TLS certificate to enable HTTPS and protect web traffic. This process uses Certbot software to automate certificate installation on an Ubuntu server running Nginx. The certificate ensures encrypted connections between the server and browsers and requires periodic renewal, which can also be automated.

Prerequisite To Secure Nginx using Let’s Encrypt SSL on Ubuntu

  • Ubuntu system or buy Linux VPS running Ubuntu (Ubuntu 22.04)
  • A user account with Sudo/Root privileges
  • Installing Nginx on Ubuntu
  • Domain name registration
  • Set up and create a server block for your domain name (for example, /etc/nginx/sites-available/your domainname.com)
  • Consider a domain record that points to your server’s public IP (www. your domainname.com and your domainname.com).

Our recommendation in securing Nginx in Ubuntu is to create a new and separate configuration file for the Nginx web server and Nginx server block file for each domain so that you can use the default files for fallback configuration.

1. Installing Certbot

As we explained at the beginning of the article, in order to be able to use the HHTPS protocol on your site and get a Let’s Encrypt [SSL] certificate for free for Nginx, you need to install the Certbot software to automate this process. Since Certbot can be installed through its snap package, you must first download and install snapd to manage the certbot software snap package.

So first, update the list of Ubuntu packages with the following command:

sudo apt update -y && sudo apt upgrade -y

Then install the latest version of Snapd kernel by running the following command:

sudo snap install core; sudo snap refresh core

Fortunately, Ubuntu 22.04 supports snaps out of the box, so you can easily install the latest version of Snapd kernel on Ubuntu 22.04 by executing a command. Note that our preference is to use the updated certbot kernel, so if you have an older version of the Certbot kernel already installed on your Ubuntu system, run the following command to remove it:

sudo apt remove certbot

Now you can install certbot on Ubuntu:

sudo snap install --classic certbot

To run the Certbot software by typing certbot, you need to link the certbot command from the snap install directory to your path:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

2. Checking Nginx’s Configuration

A prerequisite for securing Nginx using Let’s Encrypt [SSL] is registering the domain and configuring the Nginx server block for that domain. In this tutorial we will consider your domainname.com.To configure SSL automatically, Certbot must search for the server block in the Nginx configuration; For this purpose, Certbot searches for the server_name so that it can find the correct server block by matching the domain name for which you intend to receive a certificate and the corresponding server block.

Assuming the server block configuration is correct, To confirm its correct configuration, access the content of your domain configuration file using your favorite editor (preferably nano):

sudo nano /etc/nginx/sites-available/yourdomainname.com

By accessing the contents of your domain configuration file, find the line containing the server_name command and make sure to set it to your domain name. for example:

Output:

/etc/nginx/sites-available/ your domainname.com
...
server_name yourdomainname.com www. yourdomainname.com;
...

If the server_name directive is not set to your domain name, you can set your domain name with or without www for server_name. Then save the file and exit.

To confirm the changes you made to your configuration, use the following syntax:

sudo nginx -t

After making sure that you have edited your configuration file correctly, reload the Nginx service by running the following command to apply your new configuration:

sudo systemctl reload nginx

Certbot should now be able to easily find the appropriate server block.

3. Configuring the firewall to allow HTTPS traffic

If the ufw firewall is enabled on the Ubuntu server, one of your steps to get an SSL certificate is to configure the firewall to allow HTTPS traffic. By default, Nginx allows factors in the ufw firewall with its installation. To check the profiles registered by Ngnix and the firewall settings, enter the following command:

sudo ufw status

Output:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx HTTP                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Most likely, your output will show that Nginx HTTP traffic is allowed, but Nginx HTTPS encrypted traffic is not allowed. So there are two modes:

  • We should configure the firewall to allow HTTPS traffic:
sudo ufw allow 'Nginx HTTPS'
  • The second method is to allow the Nginx HTTP profile and delete the Nginx HTTP profile:
sudo ufw allow 'Nginx Full'

sudo ufw delete allow 'Nginx HTTP'

To ensure that HTTPS traffic is allowed in the ufw firewall, you can run the ufw status command again:

sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

4. Obtaining SSL/TLS certificate

By using the Nginx plugin, you can get SSL/TLS certificate, which will reconfigure Nginx for Nginx certbot if needed. To use the Nginx plugin to get an SSL certificate, enter the following command:

sudo certbot --nginx -d yourdomainname.com -d www. yourdomainname.com

By executing the previous command, you need to enter information such as your email address to configure HTTPS settings and also accept the terms of service.

After agreeing to the terms of service, you will receive a message that displays the success of the process of obtaining the certificate and the location where the certificate is stored:

Output:

IMPORTANT NOTES:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2023-05-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le

As a result, your SSL certificate will be automatically downloaded and installed, Nginx will be loaded with the new configuration and HTTPS traffic will be configured. To make sure your site is secure, reload your website and if you see a lock icon next to your domain name and site address in the URL, make sure your site is secured with an SSL certificate, which gives your website credibility.

5. Enabling automatic certificate renewal

Unfortunately, the certificate you receive from Let’s Encrypt is temporarily valid and expires after 90 days, so you have to renew it after 90 days. Since it is difficult to renew the certificate manually every time, so automating the renewal of the certificate can be the solution to this problem.

Fortunately, by adding systemd timer to the Certbot package you installed, you can automatically renew the certificate.

Enter the following command to check the status of the timer:

sudo systemctl status snap.certbot.renew.service

Output:

○ snap.certbot.renew.service - Service for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer

After setting the automatic renewal of the certificate, you can make sure of the automatic renewal configuration by running the following command:

sudo certbot renew --dry-run

Receiving an error after executing the previous command indicates a problem in the automatic certificate renewal settings, otherwise, there is no need to worry and Certbot performs its task of renewing certificates correctly.

If you do not automate the renewal of certificates, before the certificates expire, Let’s Encrypt will remind you of the certificate’s expiration by sending an email to the email address you specified during configuration.

Conclusion

Secure Nginx using Let’s Encrypt is an effective, free, and automated way to protect your website and its visitors.

This guide has provided you with a beginner-friendly, step by step approach to obtaining, installing, and managing SSL certificates, as well as configuring your server for optimal security.

Enabling HTTPS not only safeguards your content but also builds trust with your users and improves your search engine ranking. By following the instructions carefully and routinely maintaining your server, you will ensure a secure and reliable web presence.

FAQ

You install Certbot through snap by updating your system packages, installing snapd, removing any old Certbot versions, then running 'sudo snap install --classic certbot'. Finally, link the Certbot command by creating a symbolic link to '/usr/bin/certbot'.

A server block is a configuration file in Nginx that defines settings for a domain name. Let's Encrypt uses it to find your domain and properly install the SSL certificate on the correct site.

If the ufw firewall is enabled, you must allow HTTPS traffic by running 'sudo ufw allow Nginx HTTPS' or 'sudo ufw allow Nginx Full' and removing the HTTP-only profile if needed. This ensures encrypted web traffic can pass through the firewall.

Run the command 'sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com', then follow the prompts to enter your email and accept terms. Certbot will download, install, and configure the SSL certificate automatically.

Let's Encrypt certificates expire after 90 days. You should enable automatic renewal by using Certbot's built-in systemd timer. Check renewal status with 'sudo certbot renew --dry-run' to ensure it works properly.

After installation, visit your website using "https://" and look for a padlock icon in the browser's address bar. This indicates your website is using a valid SSL certificate and the connection is secure.

You need a running Ubuntu server with Nginx installed, a registered domain name pointed to your server IP, sudo or root privileges, and a correctly configured Nginx server block for your domain.

Yes, SSL certificates show visitors that your site uses HTTPS and encrypts data. Browsers display a padlock icon, enhancing trust and credibility for your visitors.

Common issues include incorrect server block configuration, firewall blocking HTTPS traffic, or Certbot not finding the correct domain. Always check Nginx configuration with 'sudo nginx -t', allow HTTPS in firewall, and ensure domain DNS points to your server before obtaining the certificate.

Leave a Reply

Your email address will not be published. Required fields are marked.

Desain Publish in August 21, 2025 at 1:27 pm

Does certbot automatically handle certificate renewal on Ubuntu, or do I still need to configure a cron job manually?

Reply
    Ashley B. Publish in August 22, 2025 at 9:35 pm

    Dear Desain, the short answer is Yes! On recent Ubuntu installations via apt (or snap), Certbot includes automatic renewal out of the box using a systemd timer (with fallback cron job if systemd isn’t present). So you typically don’t need to add a manual cron entry.

    Reply