How to Secure Nginx with Let's Encrypt on Ubuntu 18.04

How to Secure Nginx with Let’s Encrypt on Ubuntu – Google Cloud. If you are running an ecommerce site, accepting payments, or passing information that needs to be encrypted, then you will need an SSL certificate installed on your server.

HTTPS ensures that no information is passed as plain text. It’s recommended to use SSL certificates on all websites.

This guide shows all the required steps to install Let’s Encrypt SSL certificate successfully.

Choose Best Hosting for your Business

Platform	Reviews	Pricing
Siteground	★★★★★	$3.95
Kinsta – Google Cloud	★★★★★	$30

Prerequisites

A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04.
Initial Ubuntu Server Set up.
Install LEMP stack on Ubuntu in Google Cloud.
Set up Cloud DNS to point your Domain name.

Let’sEncrypt SSL certificate

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.

It automates most of the required steps with the software client called Certbot. You need to have a separate server block for your domain name.

01. Installing Certbot

Add the Certbot repository and install the latest version of Certbot with the following command.

sudo add-apt-repository ppa:certbot/certbot
sudo apt update

Install Certbot package for Nginx.

sudo apt install python-certbot-nginx

02. Allow HTTPS through Firewall

If you are using UFW and haven’t allowed connections for HTTPs go ahead and create a rule to allow HTTPS.

sudo ufw allow 'Nginx HTTPS'

03. Obtain SSL Certificate

sudo certbot --nginx certonly

Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.

To select all domains simply hit Enter

The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.

04. Install SSL Certificate

Open your site’s Nginx configuration file add replace everything with the following.

sudo nano /etc/nginx/sites-available/yourdomainname.com

Modify the listen directive to listen for HTTPs connections inside your server block.

Replace
listen [::]:80;
listen 80;

with
listen [::]:443 ssl http2;     
listen 443 ssl http2;

Add your SSL certificate path below the server_name directive.

Replacing the file path with the one you received when obtaining the SSL certificate. The ssl_certificate directive should point to your fullchain.pem file, and the ssl_certificate_key directive should point to your privkey.pem file.

ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;     
ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;

05. Redirect HTTP Traffic to HTTPS with www in Nginx

Place the below blocks above your server block to redirect all HTTP requests and requests without www to HTTPs with www

server {
    listen [::]:80;
    listen 80;     

    server_name yourdomainname.com www.yourdomainname.com;     

    # redirect http to https www     
    return 301 https://www.yourdomainname.com$request_uri; 
} 

server {     
    listen [::]:443 ssl http2;     
    listen 443 ssl http2;
    
    server_name yourdomainname.com;

    ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;     
    ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;     

    root /home/username/yourdomainname.com/public/; 
    index index.html index.php; 

    # redirect https non-www to https www 
    return 301 https://www.yourdomainname.com$request_uri; 
}

The http2 value is all that is needed to enable the HTTP/2 protocol.

Hit CTRL+X followed by Y to save the changes.

Check your configuration and restart Nginx for the changes to take effect.

sudo nginx -t
sudo service nginx restart

06. Renewing SSL Certificate

Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.

sudo crontab -e

Add this line at the end of the file

0 0,12 * * * certbot renew >/dev/null 2>&1

Hit CTRL+X followed by Y to save the changes.

This cronjob will attempt to check for renewing the certificate twice daily.

07. Verify SSL Certificate

Once the setup is done visit your domain in your web browser. You can now view your site loaded with HTTPs.

Conclusion

Now you have learned how to install SSL Certificate on your Ubuntu server with Nginx in Google Cloud.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.

How to Secure Nginx with Let’s Encrypt on Ubuntu 18.04 – Google Cloud

Prerequisites

Let’sEncrypt SSL certificate

01. Installing Certbot

02. Allow HTTPS through Firewall

03. Obtain SSL Certificate

04. Install SSL Certificate

05. Redirect HTTP Traffic to HTTPS with www in Nginx

06. Renewing SSL Certificate

07. Verify SSL Certificate

Conclusion

Related Posts

How to Secure WordPress Installation with Bedrock – Google Cloud

Automated CI/CD Deployment to App Engine with Cloud Build

How to Install and Setup Ansible on Ubuntu 20.04

Write A Comment Cancel Reply