Ubuntu 20.04: Protect Nginx with ‘Let’s Encrypt’

JR No Comments

Let’s Encrypt is a Certificate Authority (CA) that offers FREE SSL certificates just as secure as paid certificates. This project was pioneered to make encrypted connections the default standard throughout the Internet.

Follow these steps to secure Nginx w/ ‘Let’s Encrypt’:

Step 1: Install Certbot

Using apt, install Certbot and its Nginx plugin:

sudo apt install certbot python3-certbot-nginx

Step 2: Configure Nginx

To test, open the domain configuration file using ‘nano’ or ‘vi’.

sudo vi /etc/nginx/sites-available/domain_name

Add this to your domain configuration file

...
server_name example.com www.example.com;
...

Save the file, exit your editor, and check the syntax of your configuration changes.

sudo nginx -t

To load the updated configuration, restart Nginx.

sudo systemctl reload nginx

Step 3: Allow HTTPS Through the Firewall

You can use different firewalls like ‘iptables’.

In this example, we’ll be using UFW.

sudo ufw status
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Step 4: Obtain an SSL Certificate

Certbot is a simple client that obtains a certificate from Let’s Encrypt.

Let us now run Certbot and obtain our certificates.

sudo certbot --nginx -d domain_name

Output:

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Choose ‘Redirect’ to make it HTTPS.

Output:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain_name/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain_name/privkey.pem
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That’s it, enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

©2024 Nestor Samatra Mayagma Jr.