Let’s Encrypt is a free and open certificate authority (CA) that provides automated and easily accessible SSL/TLS certificates for securing websites and online services. SSL/TLS certificates encrypt the data exchanged between users and websites, ensuring confidentiality and data integrity. What sets Let’s Encrypt apart is its mission to make encrypted connections ubiquitous across the internet, fostering a more secure online environment.
Let’s Encrypt offers a straightforward process for obtaining and renewing SSL/TLS certificates through automated tools. These certificates are recognized by major web browsers, allowing websites to establish secure HTTPS connections without the financial burden typically associated with purchasing certificates. Let’s Encrypt simplified the process of issuing and renewing certificates, which helped increase the use of HTTPS, improve online privacy, and enhance website and application security.
In this tutorial, we will learn how to set up let’s encrypt SSL certificate to secure Nginx server on Ubuntu Linux.
Prerequisites
Before we get started, we need to make sure Nginx web server is set up. Use the below link to set up Nginx server on Ubuntu.
- How to install Nginx on Ubuntu Linux.
- Pointing domain name to correct server.
NOTE: DNS setup is beyond the scope of the article. Please ensure domain name is pointing to correct server before proceeding with the below guide.
Step 1: Install Certbot
software
sudo apt install python3-certbot-nginx certbot
Output:
rahil@ubuntu:~$ sudo apt install python3-certbot-nginx certbot
[sudo] password for rahil:
Reading package lists... Done
Unpacking python3-zope.component (4.3.0-3) ...
Selecting previously unselected package python3-certbot.
Preparing to unpack .../09-python3-certbot_1.21.0-1build1_all.deb ...
Unpacking python3-certbot (1.21.0-1build1) ...
Selecting previously unselected package certbot.
Preparing to unpack .../10-certbot_1.21.0-1build1_all.deb ...
Unpacking certbot (1.21.0-1build1) ...
Selecting previously unselected package python3-certbot-nginx.
Preparing to unpack .../11-python3-certbot-nginx_1.21.0-1_all.deb ...
Unpacking python3-certbot-nginx (1.21.0-1) ...
Selecting previously unselected package python3-icu.
Preparing to unpack .../12-python3-icu_2.8.1-0ubuntu2_amd64.deb ...
Unpacking python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-configargparse (1.5.3-1) ...
Setting up python3-requests-toolbelt (0.9.1-1) ...
Setting up python3-parsedatetime (2.6-2) ...
Setting up python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-zope.event (4.4-3) ...
Setting up python3-zope.hookable (5.1.0-1build1) ...
Setting up python3-josepy (1.10.0-1) ...
Setting up python3-rfc3339 (1.1-3) ...
Setting up python3-zope.component (4.3.0-3) ...
Setting up python3-acme (1.21.0-1ubuntu0.1) ...
Setting up python3-certbot (1.21.0-1build1) ...
Setting up certbot (1.21.0-1build1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Setting up python3-certbot-nginx (1.21.0-1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
Restarting services...
systemctl restart unattended-upgrades.service
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
Step 2: Retrieve new SSL Certificate from Let’s Encrypt
Certbot offers a range of plugins for acquiring SSL certificates. The Nginx plugin handles Nginx reconfiguration and config reloading as needed. To utilize this plugin, enter the following command:
sudo certbot --nginx -d demo.tekspace.io
Note: In the above command execution, I am only requesting a certificate fo a sub-domain. If you are using your main domain and want to add WWW. Simply add like this
sudo certbot --nginx -d tekspace.io www.tekspace.io
Output:
rahil@ubuntu:/etc/nginx/sites-enabled$ sudo certbot --nginx -d demo.tekspace.io
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): example@outlook.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for demo.tekspace.io
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/demo.tekspace.io/fullchain.pem
Key is saved at: /etc/letsencrypt/live/demo.tekspace.io/privkey.pem
This certificate expires on 2023-11-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for demo.tekspace.io to /etc/nginx/sites-enabled/demo_tekspace_io
Congratulations! You have successfully enabled HTTPS on https://demo.tekspace.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The output above will install and configure a new SSL certificate from Let’s Encrypt to secure Nginx. The certificates and private key obtained by certbot will be stored in /etc/letsencrypt/live/demo.tekspace.io/privkey.pem
and /etc/letsencrypt/live/demo.tekspace.io/fullchain.pem
path. Certbot will automatically configure the Nginx configuration file, also known as server block for traffic to https.
That’s it! You now have a new certificate from Let’s Encrypt and staged directly to the location where Nginx
can reference those certificates. Browse your application over https and if there are no certificate errors, you have a valid certificate installed.
Certificate details:
Step 3: Check Certbot Auto-Renewal
Let’s Encrypt certificates are valid for a period of ninety days, which encourages users to automate the process of renewal. The certbot package, which we previously installed, streamlines this by incorporating a systemd timer that executes twice daily. It automatically renews certificates within a thirty-day window before expiration.
sudo systemctl status certbot.timer
Output:
rahil@ubuntu:/etc/nginx/sites-enabled$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2023-08-30 21:07:52 UTC; 1h 5min ago
Trigger: Thu 2023-08-31 03:58:55 UTC; 5h 45min left
Triggers: ● certbot.service
Here is another command that can come handy to test certificate renewals.
sudo certbot renew --dry-run
Output:
rahil@ubuntu:/etc/nginx/sites-enabled$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo.tekspace.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for demo.tekspace.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/demo.tekspace.io/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If no errors are observed, you’re in good shape. Certbot will manage certificate renewal and Nginx reloads as needed. Should automated renewal encounter an issue, Let’s Encrypt will notify you via the specified email address, alerting you in advance of certificate expiration.
Conclusion
Throughout this guide, you’ve successfully installed the Let’s Encrypt client, certbot. You’ve also obtained SSL certificates for your domain, configured Nginx to employ these certificates, and established automated renewal. For additional guidance on Certbot usage, the official documentation serves as an excellent resource to begin with.