Let’s Encrypt is a free, automated, and open certificate authority that provides SSL/TLS certificates. In this tutorial, we’ll show you how to install Let’s Encrypt certificates for Nginx on Ubuntu and how to automate the renewal process using Certbot.
Step 1: Install Certbot
Certbot is a free, open-source software tool that automates the process of obtaining and renewing SSL/TLS certificates from Let’s Encrypt.
To install Certbot, run the following command:
sudo apt install certbot
Step 2: Generate Let’s Encrypt Certificate
Next, we’ll use Certbot to generate a Let’s Encrypt SSL/TLS certificate for our domain.
Run the following command, replacing example.com with your domain name:
sudo certbot certonly --nginx -d example.com,*.example.com --preferred-challenges dns-01
Certbot will automatically configure Nginx to use the SSL/TLS certificate.
Step 3: Configure Nginx to Use SSL/TLS
Now that we have the SSL/TLS certificate, we need to configure Nginx to use it.
Create a new server block in the Nginx configuration file /etc/nginx/sites-available/example.com with the following content:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
index index.php index.htm index.html;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
# Uncomment the following, if you're website is running WordPress
# location / {
# try_files $uri $uri/ /index.php?$args;
# }
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }
}
Save and close the file, then activate the server block by creating a symbolic link in the sites-enabled directory:
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
Test the Nginx configuration:
sudo nginx -t
If there are no errors, reload Nginx:
sudo systemctl reload nginx
Let’s Encrypt SSL/TLS certificates expire after 90 days. Certbot automatically installs a script that will run twice daily, at 12:00am and 12:00pm, and will renew any expiring certificates. You don’t need to do anything with your Cron jobs.
