Secure Nginx with Let’s Encrypt on Ubuntu 20.04 – OrcaCore

By Posted on

Secure Nginx with Let's Encrypt on Ubuntu 20.04 - OrcaCore

Secure Nginx with Let’s Encrypt on Ubuntu 20.04 – OrcaCore

In this article, we will guide you on how to Secure Nginx with Let’s Encrypt on Ubuntu 20.04. Let’s Encrypt is a Certificate Authority (CA) that provides a streamlined method to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on your web servers. This ensures secure communication between your server and visitors.

You can proceed with the following steps to secure your Nginx installation by generating SSL certificates from Let’s Encrypt.

Before securing your Nginx server, ensure the following prerequisites are met:

  • You are logged into your Ubuntu 20.04 server as a non-root user with sudo privileges and have set up a basic firewall. Refer to our article on Initial Server Setup with Ubuntu 20.04 for detailed instructions.
  • Nginx is installed on your server, and a server block is configured for your domain. Check How To Install Nginx on Ubuntu 20.04 for assistance.
  • You possess a fully registered domain name that resolves to your server’s IP address.

Now, follow the steps below to Secure Nginx with Let’s Encrypt on Ubuntu 20.04.

1. Install Certbot on Ubuntu 20.04

Install Certbot and its Nginx plugin using the following command:

sudo apt install certbot python3-certbot-nginx -y

Next, verify the Nginx configuration file on Ubuntu 20.04, ensuring the server name directive points to your registered domain name. Open the file with your preferred text editor (e.g., vi):

sudo vi /etc/nginx/sites-available/example.com

Remember to replace example.com with your actual domain name in the commands.

Locate the server_name line, which should resemble the following:

...
server_name example.com www.example.com;
...

Save and close the file after making any necessary adjustments.

Confirm your Nginx configuration edits on Ubuntu 20.04 using the command:

sudo nginx -t

The output should indicate that the configuration file syntax is correct and the test is successful:

Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload Nginx to apply the changes:

sudo systemctl reload nginx

2. Configure Firewall Settings

Configure the firewall to allow HTTPS traffic for secure Nginx operation on Ubuntu 20.04. First, check the firewall status:

sudo ufw status

The output will display the current firewall rules:

Output
Status: active
To                Action      From
--                ------      ----
Nginx HTTP         ALLOW       Anywhere
OpenSSH            ALLOW       Anywhere
Nginx HTTP (v6)    ALLOW       Anywhere (v6)
OpenSSH (v6)       ALLOW       Anywhere (v6)

Allow ‘Nginx Full’ through the firewall and remove the ‘Nginx HTTP’ rule:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now, proceed to acquire your SSL certificate using Certbot.

3. Get an SSL certificate with Let’s Encrypt on Ubuntu 20.04

Certbot offers multiple methods for obtaining SSL certificates via plugins. The Nginx plugin automates Nginx reconfiguration and reloads the configuration when required. To use this plugin, execute the following command:

sudo certbot --nginx -d example.com

The above command is for a single domain. For multiple domains, use:

sudo certbot --nginx -d example.com -d www.example.com

You will be prompted for your email address and asked to agree to the terms of service. You’ll also be given the option to share your email address with the Electronic Frontier Foundation. Next, Certbot will inquire about your preferred HTTPS configuration. Choose your option and press Enter.

The output will look similar to this:

Get an SSL certificate with Let's Encrypt on Ubuntu 20.04

At this point, your SSL certificates are downloaded, installed, and activated. Your Nginx server is now secured with Let’s Encrypt on Ubuntu 20.04. Access your website via https://, and observe the browser’s security indicator.

Additionally, you can utilize the SSL Labs Server Test to assess your server’s security configuration and achieve an A grade.

4. Renew SSL Certificates From Let’s Encrypt

Let’s Encrypt certificates are valid for 90 days, necessitating periodic renewal. Certbot automates this process with a systemd timer that runs twice daily, automatically renewing certificates within thirty days of expiration. Check the timer status:

sudo systemctl status certbot.timer

certbot timer

Test the renewal process with Certbot:

sudo certbot renew --dry-run

If no errors are displayed, the renewal process is functioning correctly.

Conclusion

You have successfully learned how to Secure Nginx with Let’s Encrypt on Ubuntu 20.04. Certbot streamlines the setup process, making it automated and free. Once configured, HTTPS provides encrypted communication, improves SEO, and enhances trustworthiness. Automatic renewals minimize maintenance. It’s a fast, reliable, and secure solution for modern web hosting.

We hope you found this helpful. You might also find the following articles interesting:

Install PHP 8.2 on Ubuntu 20.04

Install Python 3.11 on Ubuntu 20.04

Install GitLab on Ubuntu 20.04

Setting up Netdata on Ubuntu 20.04

Alternative Solutions for Securing Nginx with SSL Certificates

While Certbot offers a straightforward and automated approach to securing Nginx with Let’s Encrypt, alternative solutions exist. These methods provide flexibility and can be suitable for specific environments or preferences.

1. Using a Web Hosting Control Panel (e.g., cPanel, Plesk, Webmin)

Many web hosting control panels offer built-in tools for managing SSL certificates, including integration with Let’s Encrypt. These panels simplify the process of requesting, installing, and renewing certificates through a graphical interface.

Explanation:

Web hosting control panels provide a user-friendly interface to manage various aspects of a web server, including domain management, email accounts, and website files. They often include features to automate SSL certificate management, which can be particularly helpful for users who are not comfortable with command-line interfaces. The control panel handles the complexities of interacting with Let’s Encrypt and configuring Nginx.

Steps (Example using cPanel):

  1. Log in to your cPanel account.
  2. Navigate to the "SSL/TLS" section. The location and name may vary depending on the cPanel version.
  3. Look for an option like "Let’s Encrypt SSL" or "Install an SSL Website."
  4. Select the domain you want to secure.
  5. Follow the prompts to request and install the certificate. cPanel will typically handle the validation process and configure Nginx automatically.
  6. Enable automatic renewal. cPanel usually has a built-in feature to automatically renew Let’s Encrypt certificates before they expire.

While specific steps vary between different control panels, the general process involves navigating to the SSL/TLS management section, selecting the domain, and initiating the Let’s Encrypt integration. The control panel then automates the certificate generation, installation, and renewal processes.

2. Manually Generating and Installing Certificates with OpenSSL

While less automated, manually generating SSL certificates provides more control over the process. This involves using OpenSSL to create a Certificate Signing Request (CSR), submitting it to Let’s Encrypt (or another CA), and then manually configuring Nginx with the obtained certificate and key. This approach requires a deeper understanding of SSL/TLS concepts.

Explanation:

This method gives you the most control over the certificate generation and installation process. It’s suitable for users who want to understand the underlying mechanisms and have specific configuration requirements. However, it also requires more technical expertise and manual effort. You’ll need to install and configure the certbot client in "certonly" mode to only obtain the certificate without automatic nginx configuration.

Code Example (Illustrative – Requires further steps and configuration):

First, install certbot without the nginx plugin:

sudo apt install certbot

Then, obtain the certificate in "certonly" mode using the webroot plugin:

sudo certbot certonly --webroot -w /var/www/example.com -d example.com -d www.example.com

(Replace /var/www/example.com with the correct webroot directory for your domain). This places the certificates in /etc/letsencrypt/live/example.com/.

Finally, manually configure your Nginx server block to use the certificates:

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # ... other configurations ...
}

Remember to reload Nginx after making changes to the configuration file:

sudo systemctl reload nginx

Important Considerations for Manual Installation:

  • Certificate Validation: The webroot plugin requires you to place a specific file in your webroot directory to prove domain ownership. certbot handles this automatically during the certonly command.
  • Renewal: You’ll need to set up a cron job or systemd timer to automatically renew the certificates before they expire. This involves running the certbot renew command.
  • Security: Ensure that the private key is properly secured and only accessible by the Nginx user.

While more complex, manually generating and installing certificates provides greater flexibility and control. Choosing the right method depends on your technical expertise and specific needs.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *