Setup a Free SSL Cert with Let’s Encrypt and Nginx

HTTPS not only protects sensitive data from being read by third parties during transit. But, it also prevents attackers from injecting malware and advertisements into the websites that you visit.

There’s been a push for a more secure web for a few years now. In June 2014 at Google’s I/O conference, its Webmaster Trends Analyst Pierre Far stated that “We want to convince you that all communications should be secure by default.”

Adding HTTPS to your website not only increases the security on it. But, Google also announced in June 2014 that it would be rewarding website owners who employ HTTPS on their websites with a minor ranking boost in the search engine result pages.

The problem with HTTPS is that it has been confusing and even cost prohibitive to setup for website owners. Let’s Encrypt sought to change that.

Let’s Encrypt, an open certificate authority (CA), provides free and automated SSL certificates.

In this guide I’ll teach you how to obtain a free SSL certificate from Let’s Encrypt, automate its renewal process and configure it to run on an Nginx web server.

Install Certbot

The Electronic Frontier Foundation has released a tool called Certbot, which obtains certificates from Let’s Encrypt.

Install add-apt-repository.

sudo apt-get install software-properties-common

Add the Certbot repository. Press [ENTER] after typing the command.

sudo add-apt-repository ppa:certbot/certbot

Update the package list on your system.

sudo apt-get update

Install Certbot’s Nginx package.

sudo apt-get install python-certbot-nginx

Configure Nginx

You can have Certbot automatically configure SSL for your domain in Nginx.

Certbot will search the Nginx configuration files’ server blocks for the server_name directive that matches your domain name.

Open your domain’s Nginx config file.

sudo nano /etc/nginx/sites-available/your-domain.com

Make sure that the server_name directive matches the domain you’re looking to setup an SSL cert for.

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name your-domain.com www.your-domain.com;
}

If changes were made, reload Nginx.

sudo systemctl reload nginx

Obtain an SSL Certificate

Certbot will prompt you to configure your domain’s settings and agree to their user agreement.

After you’ve completed this, Certbot will add all of the SSL directives to Nginx and reload it.

sudo certbot --nginx -d your-domain.com -d www.your-domain.com

Certificate Renewal

Let’s Encrypt certificates are only good for 90 days. So we’ll add a job to crontab that checks daily to see if the certificate is about to expire and if so, automatically renew it.

Edit crontab file.

sudo su
crontab -e

Now we’ll add a job which runs Certbot daily at noon. If the domain is set to expire within 30 days, it will automatically renew it.

0 12 * * * /usr/bin/certbot renew --quiet

Set Firewall to Accept HTTPS Traffic

If you’re running a firewall, you’ll need to allow HTTPS traffic by opening port 443.

If you’re interested in learning how to run a firewall on your system, I recommend that you read my guide on how to secure your server with Iptables.

Iptables

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Congratulations! You’ve done your part in helping to secure the web. If you have any questions or issues related to the guide, feel free to discuss them in the comments section below.