1. Home
  2. Linux
  3. Ubuntu
  4. How you can secure Nginx with Let’s Encrypt on Ubuntu 14.04

How you can secure Nginx with Let’s Encrypt on Ubuntu 14.04

Securing Nginx with Let's Encrypt
Securing Nginx with Let’s Encrypt


In this tutorial we will teach you how to secure Nginx with Let’s Encrypt.
Let’s Encrypt is a new Certificate Authority (CA) which allows an easy way to retrieve and install free TLS/SSL certificates, therefore enabling encrypted HTTPS on a web server.
Let’s Encrypt eases the procedure by providing a software client ‘Certbot’, which tries to automate most, if not all, of the needed steps. As of now, the whole procedure of retrieving and installing a certificate is fully automated on both Apache and Nginx web servers.
We will show you how you could use Certbot to retrieve a free SSL certificate and use it with Nginx on Ubuntu 14.04 LTS. Furthermore, we’ll show you how to automate the renewing process of the SSL certificate.
We will be using the default Nginx configuration file in this tutorial, not a separate server block file. Instead, we suggest creating a new Nginx server block file for every domain as it will help avoid certain common mistakes and sustain the default files as a fallback configuration as intended.


For this tutorial, you will be required to have the following:

  1. An Ubuntu 14.04 server implemented with a non-root user which has sudo privileges.
  2. Nginx installed.
  3. You need to own or control the registered domain name which you would like to use the certificate with. If you do not have hold of a registered domain name, you could register one using one of the many domain name registrars available.
  4. You will also be required to have a DNS, A Record which points your domain to the public IP address of the server, DNS records are needed.

Step 1 — Installing Certbot

To begin using Let’s Encrypt to retrieve an SSL certificate, first install the Certbot software on your server.
The Certbot developers sustain their own Ubuntu software repository along with up-to-date versions of the software and, since Certbot is in a very active development, it is valuable to use that repository in order to obtain a newer Certbot than the one given by Ubuntu.
Now add the repository.

sudo add-apt-repository ppa:certbot/certbot

Press ‘ENTER’ to accept. Then, update the package list to obtain the new repository’s package information.

sudo apt-get update

Lastly, install Certbot using apt-get.

sudo apt-get install python-certbot-nginx

Certbot, Let’s Encrypt client is now ready for use.

Step 2 — Setting up Nginx

Certbot is capable of automatically configuring SSL for Nginx, though it will require being able to look for the correct server block in your config. It will do this by searching for a ‘server_name’ directive which matches the domain you are requesting a certificate for. In case you are just starting out with a fresh Nginx install, you can update the regular config file.

sudo nano /etc/nginx/sites-available/default

Search the existing ‘server_name’ line.

server_name localhost;

Switch ‘localhost’ with your domain name:

server_name example.com www.example.com;

Save the file and quit your editor. Confirm the syntax of your configuration edits using the command below.

sudo nginx -t

If this executes with no errors, reload Nginx to load the new configuration.

sudo service nginx reload

Certbot is capable of finding the correct server block and updating it. We will now update our firewall so it allows HTTPS traffic.
Step 3 — Obtaining an SSL Certificate
Certbot gives several ways to retrieve SSL certificates using various plugins. The Nginx plugin should take care of reconfiguring Nginx and reloading the config when required.

sudo certbot --nginx -d example.com -d www.example.com

This executes certbot using the ‘–nginx’ plugin with ‘–d’ to determine the names we want the certificate to be valid for.
If this is your first time using certbot, you will be asked to enter an email address, then agree to the terms of service. Once you have done so, certbot will communicate with the Let’s Encrypt server before running a challenge to confirm that the domain you are requesting a certificate for is under your control.
After this is successful, certbot will request to know how you would like to have your HTTPS settings configured.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Decide on what you would like and press ‘ENTER’. Afterwards, the configuration should be updated which means Nginx will have to reload to retrieve the new settings. Certbot will wrap up with a message mentioning that the procedure was successful and then it will show the location of your certificates.

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le. It should

The certificates should now be downloaded, installed, and configured. Attempt to refresh your website with ‘https://’ and you should now notice your browser’s security indicator. This will show that the site is properly secured, normally with a green lock icon. You could test your server using the SSL Labs Server Test and it will get an A grade.

Step 4 — Verifying Certbot Auto-Renewal

When using Let’s Encrypt, it is important to remember that the certificates are only valid for ninety days; the reason for this is to encourage users to automate their certificate renewal procedure. With the certbot package you have installed, it can take care of this for you by executing ‘certbot renew’ two times a day using a systemd timer. With a non-systemd which handles the functionality given by a script located in ‘/etc/cron.d’. This task executes two times a day and should renew any certificate that’s within thirty days of expiration.
To try the renewal procedure, you can do a dry run using certbot.

sudo certbot renew --dry-run

In the case that you do not see any errors, you are all set. Once it is needed, Certbot will renew your certificates and refresh Nginx to pick up the changes. If the automated renewal procedure has failed, Let’s Encrypt will send you a message to the email you have provided, warning you once your certificate is close to expiring.


You have installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use those certificates, and set up an automatic certificate renewal. If you happen to have any more questions about using Certbot, then their documentation is a good place to start.

Updated on December 23, 2018

Was this article helpful?

Related Articles

Leave a Comment

[apsl-login-lite login_text='Please login with a social account']