Set Up Let's Encrypt with Nginx Server Blocks on Ubuntu Server

This tutorial will show how to set up let’s encrypt with Nginx web server blocks on Ubuntu Cloud server.

In this tutorial we will utilize a different Nginx server block file as an alternative of the default file. We highly recommend making new Nginx server block records for every domain name since it stays away from some regular missteps and keeps up the default documents as a fallback configuration as proposed. On the off chance that you need to set up SSL utilizing the default server block, you can take after this Nginx + Let's Encrypt instructional exercise.

1st Step - Installing Certbot

The initial step to utilizing Let's Encrypt to acquire a SSL certificate is to install the Certbot software on your web server.

First and foremost you need to add the repository.

  • sudo add-apt-repository ppa:certbot/certbot

You will need to hit ENTER button to accept. At that point, update the package list to get the new repository's package detail.

  • $ sudo apt-get update

At last, install Certbot's Nginx package using apt-get command.

  • $ sudo apt-get install python-certbot-nginx

Certbot is currently ready to utilize, however with the goal for it to configure SSL for Nginx, we have to confirm few of Nginx's configuration.

 

2nd Step - Verifying Nginx's Configuration

Certbot should have the capacity to locate the right server block in your Nginx configuration for it to have the capacity to consequently configure SSL certificate. In particular, it does this by searching for a server_name order that matches the domain name you ask for a certificate for.

In the event that you took after the essential instructional tutorial on Nginx server blocks, you ought to have a server block for your domain name at etc/nginx/sites-available/xyz.com with the server_name order effectively set properly.

To confirm, open the server block petition for your domain utilizing nano or your most loved text editor tool.

  • $ sudo nano /etc/nginx/sites-available/xyz.com

 

Locate the existing server_name line. It should look similar to this:

/etc/nginx/sites-available/xyz.com

. . .
server_namexyz.com www.xyz.com;
. . .

In the event that it does, you can leave your editor and proceed onward to the next step.

In the event that it doesn't, update it to match. At that point save the record, quit your text editor, and check the syntax of your setup edits.

  • $ sudo nginx -t

 

In the event that you get any error, revive the server block document and check for any mistakes or missing characters. Once your configuration record's syntax structure is right, reload Nginx to load the fresh setup.

  • $ sudo systemctl reload nginx

Certbot would now be able to locate the right server block and refresh it.

Next step, we will update our firewall to permit HTTPS traffic.

3rd Step - Enabling HTTPS Through the Firewall

In the event that you have the ufw firewall empowered, as suggested by the essential aides, you'll have to modify the settings to take into consideration HTTPS traffic. Fortunately, Nginx registers a couple of profiles with ufw upon installation.

You can check the current settings by entering:

  • $ sudo ufw status

It will presumably resemble this, meaning just HTTP traffic is permitted to the web server:

Result

Status: active

To                         Action From
--                         ------ ----
OpenSSH                    ALLOW Anywhere           
Nginx HTTP                 ALLOW Anywhere           
OpenSSH (v6)               ALLOW Anywhere (v6)           
Nginx HTTP (v6)            ALLOW Anywhere (v6)

 

To moreover let in HTTPS traffic, we can permit the Nginx Full profile and afterward erase the excess Nginx HTTP profile remittance:

  • $ sudo ufw allow 'Nginx Full'

  • $ sudo ufw delete allow 'Nginx HTTP'

 

Your status now look similar to this:

  • $ sudo ufw status

Result

Status: active

To                         Action From
--                         ------ ----
OpenSSH                    ALLOW Anywhere
Nginx Full                 ALLOW Anywhere
OpenSSH (v6)               ALLOW Anywhere (v6)
Nginx Full (v6)            ALLOW Anywhere (v6)

 

We are now prepared to run Certbot as well as fetch our certificates.

4th Step — Obtaining an SSL Certificate

Certbot gives an assortment of approaches to get SSL certificates, through different modules and plugins. The Nginx module will deal with reconfiguring Nginx and reloading the config at whatever point vital:

  • $ sudo certbot --nginx -d xyz.com -d www.xyz.com

 

This takes certbot with the - nginx module, utilizing - d to determine the names we would like the authentication to be legitimate for.

On the off chance that this is your first time running certbot, you will be incited to enter an email deliver and consent to the terms of service usage. After completing so, certbot will get in touch with the Let's Encrypt server, at that point run a test to check that you control the domain you're asking for an certificate for.

In case, that is successful,  certbot will request that how you would like configure your HTTPS settings.

Result

Please select whether or not to redirect HTTP traffic/visitors to HTTPS, withdrawing access.

  • No redirect - Make no further modifications to the web server setting.

  • Redirect - Make all requests redirect to safe HTTPS access. Select this for
    new pages, or in case you are sure your website works on HTTPS. You can easily undo these modifications by editing your web server's configuration file.

 

Choose the suitable number 1 or 2 and hit enter. The setting will be updated and Nginx will refresh to opt the new settings. Certbot will wind up with a message disclosing to you the procedure was successful and where your certificates are put away:

Your certificates are now downloaded, configuared and installed. Try to refreshing your website utilizing https protocol and you will see security indicator on your browser.

5th Step - Verifying Certbot Auto-Renewal

Let's Encrypt's SSL certificates are legitimate for 90 days. This is to urge clients to automate their certificate renewal procedure. The certbot package we installed deals with this for us by adding a reestablish content to/etc/cron.d. This content runs twice every day and will consequently reestablish any authentication that is inside thirty days of lapse.

To test the renewal procedure, you can complete a dry keep running with certbot:

  • $ sudo certbot renew --dry-run

In the event that you see no issues, you're good to go. Whenever vital, Certbot will renew your certificates and reload Nginx to get the progressions. In the event that the automated renewal procedure ever comes up short, Let's Encrypt will make an impression on the email you determined, cautioning you when your certificate is going to terminate.