Using Let’s Encrypt with NGINX on Ubuntu 18.04


With Let’s Encrypt’s launch a whole new world was opened up for those wishing to secure their websites, easily and without huge expenses. A typical certificate prior to Let’s Encrypt would run web site operators several hundreds a year. In this tutorial, you will learn how to request free certificates and automate the renewal process using Let’s Encrypt with NGINX.

Let’s Encrypt provides a tool named Certbot, and its purpose is to make managing certificates easier, as well as help automate the process. Certbot is found in a PPA maintained by Let’s Encrypt, which you will need to install.

Installing PPA

Let’s Encrypt maintains an Ubuntu PPA that provides packages to ease certificate management. The main tool, certbot, is designed for automating configurations for Apache and Nginx, as well as managing certificates that have been requests.

To add the Let’s Encrypt PPA to Ubuntu, run the following commands.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot

To install Certbot and the Nginx plugin, run the following command.

sudo apt-get install certbot python-certbot-nginx 

Configuring NGINX and Requesting Certificates

The NGINX plugin for Certbot will register new certificates for you and then update your NGINX configuration. If you are not using the default enabled site, you can specify that wish to manual update the configuration.

Run the certbot command with the –nginx flag.

sudo certbot --nginx

You will be prompted for your email address, if an email address isn’t already registered for the host. When registered, you will be asked for a domain name or list of domain names to add to your certificate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator nginx, Installer nginx
 No names were found in your configuration files. Please enter in your domain
 name(s) (comma and/or space separated)  (Enter 'c' to cancel): 

The hostname(s) must be registered in DNS and resolvable. The IP address returned by DNS must also match the server’s local IP address. Certbot will validate this when requesting your certificate.

 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for
 Waiting for verification…
 Cleaning up challenges
 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

If the requests is successful, you will be asked with you want Certbot to automatically update NGINX or not. As mentioned previously, the configuration applies to the default site. Any custom sites will need to be manually configured.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Your certificate is now installed and, if you chose the automatic NGINX configuration, your server is ready to support TLS.

 Congratulations! You have successfully enabled
 You should test your configuration at:
 IMPORTANT NOTES:                                                                                                                                                                                                                                                                                                                        
 Congratulations! Your certificate and chain have been saved at:                                                                                                                                                                                                                                                                      
 Your key file has been saved at:
 Your cert will expire on 2019-08-30. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew all of
 your certificates, run "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:
 Donating to EFF:           

The configuration Certbot generates will look similar to the following example. It is a basic server configuration for handling secure traffic on port 443. The paths of the certificates generated by Let’s Encrypt will be added to the config as well.

server {
     # SSL configuration
     # listen 443 ssl default_server;
     # listen [::]:443 ssl default_server;
     # Note: You should disable gzip for SSL traffic.
     # See:
     # Read up on ssl_ciphers to ensure a secure configuration.
     # See:
     # Self signed certs generated by the ssl-cert package
     # Don't use them in a production server!
     # include snippets/snakeoil.conf;

     root /var/www/html;

     # Add index.php to the list if you are using PHP
     index index.html index.htm index.nginx-debian.html;

     # managed by Certbot
     location / {
             # First attempt to serve request as file, then
             # as directory, then fall back to displaying a 404.
             try_files $uri $uri/ =404;

     # pass PHP scripts to FastCGI server
     #location ~ \.php$ {
       include snippets/fastcgi-php.conf;
     # With php-fpm (or other unix sockets):
     #       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
     #       # With php-cgi (or other tcp sockets):
     #       fastcgi_pass;
     # deny access to .htaccess files, if Apache's document root
     # concurs with nginx's one
     #location ~ /\.ht {
     #       deny all;

     listen [::]:443 ssl ipv6only=on; # managed by Certbot
     listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot