Complete guide to configure SSL on Nginx with Let’s Encrypt (Ubuntu/Centos/RHEL)

Securing your websites with an SSL certificate is now a must for all website admins, else the web browsers will mark the website as unsafe to visit, causing the loss of website traffic. But SSL certificate is not cheap, but there is a way around to get an SSL certificate for free with only downside that we need to renew SSL cert every 90 days but that process can also be automated.

In this tutorial, we will discuss how we can configure a SSL certificate on Nginx with Let’s encrypt. We have already discussed in our previous tutorial about how we can configure SSL cert with Let’s certificate on Apache Web Server, so if you are using Apache you can check that tutorial. Now let’s start with the process to configure SSL on Nginx with Let’s Encrypt.

Recommended Read : Simple way to configure Nginx Reverse Proxy

Here we will discuss the method for Ubuntu & CentOS/RHEL using a let’s encrypt tool called certbot. So let’s start with Pre-requisites,

Also Read : Analyzing APACHE logs in CLI (& GUI) using GoAccess


Pre-Requisites

We will need a registered Domain address,
We will need a CentOS/RHEL or Ubuntu server with Ngnix installed. Installation steps are mentioned below,

Ubuntu

Nginx is available with default Ubuntu Repositories. So simple install it using the following command,

$ sudo apt-get update && sudo apt-get install nginx

CentOS/RHEL

We need to add some repos for installing nginx on CentOS & we have created a detailed ARTICLE HERE for nginx installation on CentOS/RHEL.

Now start the services & enable it for boot,

# systemctl start nginx

# systemctl enable nginx

Once its installed, we can move to next part i.e. installing let’s encrypt & issuing of SSL certificate for website.


Let’s Encrypt on Ubuntu

Firstly we need to install Certbot on Ubuntu system, but its not available with default Ubuntu repositories. Install the Ubuntu repos with the following command,

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

Now to install the Certbot , execute the following command from terminal,

$ sudo apt-get install python-certbot-nginx

Now, we will issue a new SSL certificate using certbot command. Use the following command as reference ,

$ sudo certbot –nginx -d linuxtechlab.com -d www.linuxtechlab.com

Here linuxtechlab.com is the name of the website for which the certificate will be issues, replace this with the name of your website. If this is the first time you are using Certbot, you will be asked to enter an Email address & also to agree to User Agreement,

nginx with let's encrypt

Now certbot will then check with let’s encrypt server to verify that you are the web admin of the domain that you are trying to get an SSL for (usually you need to place two files with random text provided by let’s encrypt at location http://domain-name/.well-known/acme-challenge. more details on that HERE).

Once site ownership has been confirmed, we will be asked to configure redirect settings for Nginx, you can choose 1 (No-Redirect) or 2 (Redirect). If you choose 1, than you will have to configure redirect yourselves in Nginx configuration afterwards, with option 2 , the configuration will be updated & Nginx will be reloaded to implement the new changes made.

ngnix with let's encrypt

Our cert is now installed & new configurations also have been loaded. As mentioned above, we need to renew the cert every 90 days, for that we can create a new cronjob, mentioned at the end of this tutorial.

Now let’s discuss the SSL issue procedure for CentOS & RHEL,


Let’s Encrypt on CentOS/RHEL

To install Certbot on CentOS, we will need to first install EPEL repositories first on our system. Install EPEL using following command on your system,

RHEL/CentOS 7

# rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

RHEL/CentOS 6 (64 Bit)

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

RHEL/CentOS 6 (32 Bit)

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Now we to install certbot use the following command,

# yum install certbot-nginx

Once the certbot has been installed, we can then issue the SSL certificate with the same command as mentioned above,

# certbot –nginx -d linuxtechlab.com -d www.linuxtechlab.com

Now the process will same as has been mentioned above for Ubuntu. Now after the cert has been installed, we need to make sure that the certificate is renewed before 90 days.


Automatic Certificate Renewal

Following cron job will take care of the automatic certificate renewal,

# crontab -e

05 01 30 * * /usr/bin/certbot renew –quiet

this job will renew certificate every 30 days at 1:05 AM. We can also run the following command to dry-run or test the renewal of certificate,

# certbot renew –dry-run

This completes our tutorial on how to configure SSL on Nginx with Let’s encrypt. Please feel free to send any questions or queries you have regarding this tutorial.

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter | Google Plus

Donate us some of your hard earned money:

Linux TechLab is thankful for your continued support.

Shusain

Passionate about Linux & open source. Loves to learn, read & write about Linux as well as new technologies.

You may also like...

2 Responses

  1. Adrian says:

    Are you sure that you want to try and renew the certificate every day!?

    Surely once a month is more than enough

Leave a Reply

Your email address will not be published. Required fields are marked *