Home » Ubuntu » How to Setup Nginx with Let's Encrypt on Ubuntu 20.04

How to Setup Nginx with Let's Encrypt on Ubuntu 20.04

To enable secure communication (i.e. HTTPS) on your NGINX web server, you need to obtain an SSL/TLS certificate from a trusted certificate authority. Let's Encrypt is a not-for-profit certificate authority that offers free SSL/TLS certificates.

This tutorial describes how to setup a free SSL/TLS certificate issued by Let's Encrypt on Ubuntu 20.04 LTS Server running Nginx.

Prerequisites:

Install Certbot on Ubuntu

Certbot is an open-source tool that simplifies and automates the process of obtaining and renewing certificates from Let's Encrypt. We are going to install Certbot by using the Snap deployment system. Snap is pre-installed on Ubuntu 20.04.

Update snapd

Run the following commands to update snapd.

$ sudo snap install core
$ sudo snap refresh core

Install certbot snap

Next, we are ready to install the Certbot snap.

Note: If you have previously installed Certbot by using the standard apt command, then run the following command first to remove it. This will ensure that the Certbot snap works correctly.

$ sudo apt-get remove certbot
$ sudo snap install --classic certbot
certbot 1.11.0 from Certbot Project (certbot-eff✓) installed

Enable certbot command

After successfully installing the Certbot snap, run the next command to enable certbot for use.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Obtain your Certificate

When you run the command below, certbot will guide you through the rest of the process. Certbot also updates your NGINX configuration automatically to activate HTTPS.

$ sudo certbot --nginx

Below is a summary of what certbot will prompt you to do during this process.

  1. Provide an email address where renewal and security notices will be sent to
  2. Enter y to accept the terms of service
  3. Enter y or n to accept or decline to share your email address with the developers of Certbot
  4. Confirm the domain name(s) for which you would like to enable HTTPS
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): shola@linoxide.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain1.com
2: www.domain1.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Requesting a certificate for domain1.com and www.domain1.com
Performing the following challenges:
http-01 challenge for domain1.com
http-01 challenge for www.domain1.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/domain1
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/domain1
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/domain1
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/domain1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain1.com and
https://www.domain1.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain1.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain1.com/privkey.pem
   Your certificate will expire on 2021-04-10. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Cerbot will add the following entries (sentences showing managed by Certbot) in the nginx block file.

/etc/nginx/sites-enabled/domain1
$ cat /etc/nginx/sites-enabled/domain1
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server {

       server_name domain1.com www.domain1.com;

       root /var/www/domain1.com;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.domain1.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = domain1.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen 80;
       listen [::]:80;

       server_name domain1.com www.domain1.com;
    return 404; # managed by Certbot
}
$

Browse your website to confirm that the lock icon is now displayed.

Certificate Renewal Process

Certificates issued by Let's Encrypt are valid for 90 days. During installation, certbot creates a scheduled task to automatically renew your certificates before they expire. As long as you do not change your web server configuration, you would not have to run certbot again.

Run the following command to test the automatic renewal process.

$ sudo certbot renew --dry-run

Conclusion

In this guide, we learned how to setup let's encrypt SSL certificate on NGINX web server running on Ubuntu 20.04.

Instead of Cerbot, you can also use ACME Shell script to automatically issue & renew the free certificates from Let's Encrypt.

If anything is unclear, do let us know in the comments section below.

Leave a Comment