How you can secure Nginx with Let’s Encrypt on Ubuntu 14.04
In this tutorial we will teach you how to secure Nginx with Let’s Encrypt.
Let’s Encrypt is a new Certificate Authority (CA) which allows an easy way to retrieve and install free TLS/SSL certificates, therefore enabling encrypted HTTPS on a web server.
Let’s Encrypt eases the procedure by providing a software client ‘Certbot’, which tries to automate most, if not all, of the needed steps. As of now, the whole procedure of retrieving and installing a certificate is fully automated on both Apache and Nginx web servers.
We will show you how you could use Certbot to retrieve a free SSL certificate and use it with Nginx on Ubuntu 14.04 LTS. Furthermore, we’ll show you how to automate the renewing process of the SSL certificate.
We will be using the default Nginx configuration file in this tutorial, not a separate server block file. Instead, we suggest creating a new Nginx server block file for every domain as it will help avoid certain common mistakes and sustain the default files as a fallback configuration as intended.
For this tutorial, you will be required to have the following:
- An Ubuntu 14.04 server implemented with a non-root user which has sudo privileges.
- Nginx installed.
- You need to own or control the registered domain name which you would like to use the certificate with. If you do not have hold of a registered domain name, you could register one using one of the many domain name registrars available.
- You will also be required to have a DNS, A Record which points your domain to the public IP address of the server, DNS records are needed.
Step 1 — Installing Certbot
To begin using Let’s Encrypt to retrieve an SSL certificate, first install the Certbot software on your server.
The Certbot developers sustain their own Ubuntu software repository along with up-to-date versions of the software and, since Certbot is in a very active development, it is valuable to use that repository in order to obtain a newer Certbot than the one given by Ubuntu.
Now add the repository.
sudo add-apt-repository ppa:certbot/certbot
Press ‘ENTER’ to accept. Then, update the package list to obtain the new repository’s package information.
sudo apt-get update
Lastly, install Certbot using apt-get.
sudo apt-get install python-certbot-nginx
Certbot, Let’s Encrypt client is now ready for use.
Step 2 — Setting up Nginx
Certbot is capable of automatically configuring SSL for Nginx, though it will require being able to look for the correct server block in your config. It will do this by searching for a ‘server_name’ directive which matches the domain you are requesting a certificate for. In case you are just starting out with a fresh Nginx install, you can update the regular config file.
sudo nano /etc/nginx/sites-available/default
Search the existing ‘server_name’ line.
Switch ‘localhost’ with your domain name:
server_name example.com www.example.com;
Save the file and quit your editor. Confirm the syntax of your configuration edits using the command below.
sudo nginx -t
If this executes with no errors, reload Nginx to load the new configuration.
sudo service nginx reload
Certbot is capable of finding the correct server block and updating it. We will now update our firewall so it allows HTTPS traffic.
Step 3 — Obtaining an SSL Certificate
Certbot gives several ways to retrieve SSL certificates using various plugins. The Nginx plugin should take care of reconfiguring Nginx and reloading the config when required.
sudo certbot --nginx -d example.com -d www.example.com
This executes certbot using the ‘–nginx’ plugin with ‘–d’ to determine the names we want the certificate to be valid for.
If this is your first time using certbot, you will be asked to enter an email address, then agree to the terms of service. Once you have done so, certbot will communicate with the Let’s Encrypt server before running a challenge to confirm that the domain you are requesting a certificate for is under your control.
After this is successful, certbot will request to know how you would like to have your HTTPS settings configured.
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Decide on what you would like and press ‘ENTER’. Afterwards, the configuration should be updated which means Nginx will have to reload to retrieve the new settings. Certbot will wrap up with a message mentioning that the procedure was successful and then it will show the location of your certificates.
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le. It should
The certificates should now be downloaded, installed, and configured. Attempt to refresh your website with ‘https://’ and you should now notice your browser’s security indicator. This will show that the site is properly secured, normally with a green lock icon. You could test your server using the SSL Labs Server Test and it will get an A grade.
Step 4 — Verifying Certbot Auto-Renewal
When using Let’s Encrypt, it is important to remember that the certificates are only valid for ninety days; the reason for this is to encourage users to automate their certificate renewal procedure. With the certbot package you have installed, it can take care of this for you by executing ‘certbot renew’ two times a day using a systemd timer. With a non-systemd which handles the functionality given by a script located in ‘/etc/cron.d’. This task executes two times a day and should renew any certificate that’s within thirty days of expiration.
To try the renewal procedure, you can do a dry run using certbot.
sudo certbot renew --dry-run
In the case that you do not see any errors, you are all set. Once it is needed, Certbot will renew your certificates and refresh Nginx to pick up the changes. If the automated renewal procedure has failed, Let’s Encrypt will send you a message to the email you have provided, warning you once your certificate is close to expiring.
You have installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use those certificates, and set up an automatic certificate renewal. If you happen to have any more questions about using Certbot, then their documentation is a good place to start.