In this tutorial we will show you everything you need to know about Let’s Encrypt, so let’s start by what exactly is it, Let’s Encrypt is a new Certificate Authority (CA) which allows an easy way to retrieve and install free TLS/SSL certificates, therefore enabling encrypted HTTPS on web server. It eases the procedure by providing a software client, Certbot, which tries to automate most (if not all) of the needed steeps. As of now, the whole procedure of retrieving and installing a certificate is fully automated on both Apache and Nginx web servers.
If you would like to acquire a web server from us, use the following link:
We will show you how you could use Certbot to retrieve a free SSL certificate and use it with Nginx on Ubuntu 14.04 LTS, Another thing we’ll show you in the tutorial is how you can automate the renewing process of the SSL certificate.
We will be using the default Nginx configuration file in this tutorial, we are not gonna be using a separate server block file. Instead we suggest creating a new Nginx server block file for every domain since it helps avoiding certain common mistakes and sustains the default files as a fallback configuration as intended.
For this tutorial, you will be required to have the following
- First you will need an Ubuntu 14.04 server implemented with a non-root user which has sudo privileges.
- Nginx installed.
- You need to own or control the registered domain name which you’d like to use the certificate with. In case you don’t have hold of a registered domain name, you could register one using one of the many domain name registrars out there.
- You will also be required to have a DNS, A Record which points your domain to the public IP address of the server, DNS records are needed.
Step 1 — Installing Certbot
To begin using Let’s Encrypt to retrieve an SSL certificate is to first install the Certbot software on your server. The Certbot developers sustain their own Ubuntu software repository along with up-to-date versions of the software. Since Certbot is in a very active development it’s valuable to use that repository in order to obtain a newer Certbot than the one given by Ubuntu.
Now we will add the repository:
sudo add-apt-repository ppa:certbot/certbot
You will have to press ENTER to accept. Then, update the package list to obtain the new repository’s package information:
sudo apt-get update
Lastly, install Certbot using apt-get:
sudo apt-get install python-certbot-nginx
Certbot, Let’s Encrypt client is now ready for use.
Step 2 — Setting up Nginx
Certbot is capable of automatically configuring SSL for Nginx, though it will require being able to look for the correct server block in your config. It will do this by searching for a server_name directive which matches the domain you’re requesting a certificate for. In case you are just starting out with a fresh Nginx install, you could update the regular config file:
sudo nano /etc/nginx/sites-available/default
Search the existing server_name line:
Switch localhost with your domain name:
server_name example.com www.example.com;
Now save the file and quit your editor. Confirm the syntax of your configuration edits using the following command:
sudo nginx -t
If this executes with no errors, reload Nginx to load the new configuration:
sudo service nginx reload
Certbot is going to be capable of finding the correct server block and update it. We will now update our firewall so it allows HTTPS traffic.
Step 3 — Obtaining an SSL Certificate
Certbot gives several ways to retrieve SSL certificates, using a couple different plugins. The Nginx plugin should take care of reconfiguring Nginx and reloading the config when required:
sudo certbot --nginx -d example.com -d www.example.com
This executes certbot using the –nginx plugin with –d to determine the names we want the certificate to be valid for.
In case it’s your first time using certbot, you will be asked to enter an email address, then agree to the terms of service. Once you’ve done so, certbot is going to communicate with the Let’s Encrypt server and afterwards run a challenge to confirm that the domain you’re requesting a certificate for, is under your control.
After it’s successful, certbot will request to know how you would like to have your HTTPS settings configured:
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Go for what you would like and hit ENTER. Afterwards the configuration should be updated, and Nginx is going to reload to retrieve the new settings. Certbot will wrap up with a message mentioning the procedure was successful and then showing the location of your certificates:
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le. It should
The certificates should now be downloaded, installed, and configured. Attempt to refresh your website with https:// and notice your browser’s security indicator. It will then show that the site is properly secured, normally with a green lock icon. You could test your server using the SSL Labs Server Test, it will get an A grade.
Step 4 — Verifying Certbot Auto-Renewal
When using Let’s Encrypt, it’s important to remember the certificates are only valid for ninety days. The reason for this is to encourage users to automate their certificate renewal procedure. With the certbot package we’ve installed it can take care of this for us by executing ‘certbot renew’ two times a day using a systemd timer. With a non-systemd which handles the functionality given by a script located in /etc/cron.d. This task executes two times a day and should renew any certificate that’s within thirty days of expiration.
To try the renewal procedure, you could do a dry run using certbot:
sudo certbot renew --dry-run
In case you don’t see any errors, you’re all set. Once it’s needed, Certbot will renew your certificates and refresh Nginx to pick up the changes. If the automated renewal procedure has failed, Let’s Encrypt is going to send you a message from the email you’ve provided, warning you once your certificate is close to expiring.
In this tutorial we’ve installed the Let’s Encrypt client certbot, downloaded SSL certificates for our domain, configured Nginx to use those certificates, and afterwards set up an automatic certificate renewal. If you happen to have any more questions about using Certbot, their documentation is a good place to start.