Logo
  • Ubuntu
  • CentOS
  • Debian
  • Fedora
  • RedHat

Secure Nginx with Let’s Encrypt on Ubuntu 20.04 - DesignLinux

May 29 2020
designlinux 0 Comments
Secure Nginx with Let's Encrypt on Ubuntu 20.04

Let’s Encrypt is a free Certificate Authority (CA). It provides a simple way to obtain, install and renew free TLS/SSL certificates. This guide will help you to obtain and install free SSL certificate and Secure Nginx with Let’s Encrypt on Ubuntu 20.04.

It is recommended that to use a separate Nginx server block file instead of the default file. In this tutorial, we will create new Nginx server block files for each domain. Thus, we can avoid common mistakes and maintains the default files as a fallback configuration.

Prerequisites#

  • Logged in to Ubuntu server with a non-root user with sudo privileges.
  • Your domain name should pointing to your server IP address.
  • Nginx installed and configured by How To Install Nginx on Ubuntu 20.04.
  • Have a Nginx server block for your domain, as shown in this tutorial.

Install Let’s Encrypt on Ubuntu#

Following are the steps to install and use Certbot tool to obtain a free SSL certificate for Nginx on Ubuntu server. Now a days, certificates issued by Let’s Encrypt are trusted by almost all browsers.

Install Certbot#

Using Certbot client package, you can easily obtain, install and renew Let’s Encrypt SSL certificates. It’s useful for configuring web servers to use the SSL certificates. The certbot package is included in the default Ubuntu repositories.

Update the packages list and install the certbot package by following commands:

sudo apt update

Next, you need to install dependencies for python3-certbot-nginx package by executing below command:

sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Now install certbot client by executing following command:

sudo apt install certbot python3-certbot-nginx

You can verify that certbot is installed successfully or not by typing:

certbot --version

Adjusting Firewall#

If on server UFW firewall enabled then you need to adjust firewall to allow HTTPS traffic.

You can see the current setting by typing:

sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To let in HTTPS traffic, you need to allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now status should look like as below:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

Obtaining an SSL Certificate#

There are many ways to obtain SSL certificates through plugins. Here, we will use certbot client to obtain a SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Using above command, we are requesting for example.com and www.example.com domains. If you are installing certificate first time then it will ask you enter email address and agree terms and conditions.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After doing so, certbot will communicate with the Let’s Encrypt server and then run a challenge to verify that you are the owner of domain for which you’re requesting a certificate.

Once the validation complete, it will ask you how you would like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and hit Enter to go ahead. Your nginx server block will be update based on your selected option and will reload Nginx to take new settings effect.

After this step, Certbot configuration is finished and you will be presented with Congratulations message as following:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your_domain and
https://www.your_domain

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Finally, your domain is secure with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.

Auto Renew Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can use certbot auto-renew facility to avoid from SSL expiration. By default, Certbot package creates a cronjob script at /etc/cron.d which runs twice in a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :

sudo certbot renew --dry-run

If it will not show any errors means your installation is successful. Now on wards Certbot will take care of your SSL expiration and renew your certificates automatically and reload Apache to pick up the changes automatically.

Conclusion#

This tutorial explained how to secure Nginx Web Server with Let’s Encrypt SSL on Ubuntu 20.04 using Certbot.

If you want to know more about how to use Certbot, their documentation is a good starting point.

Feel free to leave comment if you have any questions.

Related

Tags: let's encrypt, nginx, security, ssl

How to Install VirtualBox Guest Additions on Ubuntu 20.04

Prev Post

How to Install and Use PHP Composer on CentOS 8

Next Post
Archives
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • July 2022
  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
Categories
  • AlmaLinux
  • Android
  • Ansible
  • Apache
  • Arch Linux
  • AWS
  • Backups
  • Bash Shell
  • Bodhi Linux
  • CentOS
  • CentOS Stream
  • Chef
  • Cloud Software
  • CMS
  • Commandline Tools
  • Control Panels
  • CouchDB
  • Data Recovery Tools
  • Databases
  • Debian
  • Deepin Linux
  • Desktops
  • Development Tools
  • Docker
  • Download Managers
  • Drupal
  • Editors
  • Elementary OS
  • Encryption Tools
  • Fedora
  • Firewalls
  • FreeBSD
  • FTP
  • GIMP
  • Git
  • Hadoop
  • HAProxy
  • Java
  • Jenkins
  • Joomla
  • Kali Linux
  • KDE
  • Kubernetes
  • KVM
  • Laravel
  • Let's Encrypt
  • LFCA
  • Linux Certifications
  • Linux Commands
  • Linux Desktop
  • Linux Distros
  • Linux IDE
  • Linux Mint
  • Linux Talks
  • Lubuntu
  • LXC
  • Mail Server
  • Manjaro
  • MariaDB
  • MongoDB
  • Monitoring Tools
  • MySQL
  • Network
  • Networking Commands
  • NFS
  • Nginx
  • Nodejs
  • NTP
  • Open Source
  • OpenSUSE
  • Oracle Linux
  • Package Managers
  • Pentoo
  • PHP
  • Podman
  • Postfix Mail Server
  • PostgreSQL
  • Python
  • Questions
  • RedHat
  • Redis Server
  • Rocky Linux
  • Security
  • Shell Scripting
  • SQLite
  • SSH
  • Storage
  • Suse
  • Terminals
  • Text Editors
  • Top Tools
  • Torrent Clients
  • Tutorial
  • Ubuntu
  • Udemy Courses
  • Uncategorized
  • VirtualBox
  • Virtualization
  • VMware
  • VPN
  • VSCode Editor
  • Web Browsers
  • Web Design
  • Web Hosting
  • Web Servers
  • Webmin
  • Windows
  • Windows Subsystem
  • WordPress
  • Zabbix
  • Zentyal
  • Zorin OS
Visits
  • 0
  • 1,058
  • 610,417

DesignLinux.com © All rights reserved

Go to mobile version