How to Secure Nginx with Let’s Encrypt on Ubuntu – Google Cloud. If you are running an
HTTPS ensures that no information is passed as plain text. It’s recommended to use SSL certificates on all websites.
This guide shows all the required steps to install Let’s Encrypt SSL certificate successfully.
Prerequisites
- A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04.
- Initial Ubuntu Server Set up.
- Install LEMP stack on Ubuntu in Google Cloud.
- Set up Cloud DNS to point your Domain name.
Let’sEncrypt SSL certificate
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
It automates most of the required steps with the software client called Certbot. You need to have a separate server block for your domain name.
01. Installing Certbot
Add the Certbot repository and install the latest version of Certbot with the following command.
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
Install Certbot package for Nginx.
sudo apt install python-certbot-nginx
02. Allow HTTPS through Firewall
If you are using UFW and haven’t allowed connections for HTTPs go ahead and create a rule to allow HTTPS.
sudo ufw allow 'Nginx HTTPS'
03. Obtain SSL Certificate
sudo certbot --nginx certonly
Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.
To select all domains simply hit Enter
The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.
04. Install SSL Certificate
Open your site’s Nginx configuration file add replace everything with the following.
sudo nano /etc/nginx/sites-available/yourdomainname.com
Modify the listen directive to listen for HTTPs connections inside your server block.
Replace
listen [::]:80;
listen 80;
with
listen [::]:443 ssl http2;
listen 443 ssl http2;
Add your SSL certificate path below the server_name directive.
Replacing the file path with the one you received when obtaining the SSL certificate. ssl_certificate directivessl_certificate_key
ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
05. Redirect HTTP Traffic to HTTPS with www in Nginx
Place the below blocks above your server block to redirect all HTTP requests and requests without www to HTTPs with www
server {
listen [::]:80;
listen 80;
server_name yourdomainname.com www.yourdomainname.com;
# redirect http to https www
return 301 https://www.yourdomainname.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name yourdomainname.com;
ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
root /home/username/yourdomainname.com/public/;
index index.html index.php;
# redirect https non-www to https www
return 301 https://www.yourdomainname.com$request_uri;
}
The http2 value is all that is needed to enable the HTTP/2 protocol.
Hit CTRL+X followed by Y to save the changes.
Check your configuration and restart Nginx for the changes to take effect.
sudo nginx -t
sudo service nginx restart
06. Renewing SSL Certificate
Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.
sudo crontab -e
Add this line at the end of the file
0 0,12 * * * certbot renew >/dev/null 2>&1
Hit CTRL+X followed by Y to save the changes.
This cronjob will attempt to check for renewing the certificate twice daily.
07. Verify SSL Certificate
Once the setup is done visit your domain in your web browser. You can now view your site loaded with HTTPs.
Conclusion
Now you have learned how to install SSL Certificate on your Ubuntu server with Nginx in Google Cloud.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
