Free HTTPS within 5 minutes
secure Nginx with Let’s Encrypt on ubuntu 16.04
Does my site need HTTPS?
YOUR SITE NEEDS HTTPS.
“But my site doesn’t have forms or collect information from users.”
Doesn’t matter. HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential.
“There’s nothing sensitive on my site anyway.”
Your site is a liability! Just because your site is hosted safely in your account doesn’t mean it won’t travel through cables and boxes controlled by who knows how many corporate- and state-owned entities. Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? This stuff happens: on airlines (a lot, and again), in China, even ISPs do it (a lot). And HTTPS prevents all of it. It guarantees content integrity and the ability to detect tampering. If we encrypt only secret content, then we automatically paint a target on those transmissions. Keep which of your transmissions contain secrets secret by encrypting everything.
“I can’t afford a certificate.”
“HTTPS is difficult to set up and maintain.”
It just works if you follow this guide.
— HOW TO GET ON HTTPS —
Let’s Encrypt is a free, automated, and open Certificate Authority.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain.
This guide assumes that you have the following:
- An Ubuntu 16.04 server, configured with a non-root user with
sudoprivileges, as described in the initial server setup guide for Ubuntu 16.04.
- A domain name pointed at your server’s public IP as per How to map domain/Host name with public/Elastic/Floating IP.This tutorial will use example.com throughout.
- Nginx installed, covered in How to install Nginx on production server.
Step 1 — Nginx Configurations
When you have your server’s IP address or domain, enter it into your browser’s address bar:
You should see the default Nginx landing page, which should look something like this:
This page is simply included with Nginx to show you that the server is running correctly.
Note: At this stage you have working Nginx on your ubuntu server whose nameservers and DNS was correctly mapped for domain mapping. In short, you can see Nginx default page while opening your website in web-browser.
Let’s start the difficult process in a very simple way:
by the way credit goes to certbot library
Step 2— Installing Certbot
First, add the repository.
sudo add-apt-repository ppa:certbot/certbot
You’ll need to press
ENTER to accept. Then, update the package list to pick up the new repository's package information.
sudo apt-get update
And finally, install Certbot’s Nginx package with
sudo apt-get install python-certbot-nginx
Certbot is now ready to use, but in order for it to configure SSL for Nginx, we need to verify some of Nginx’s configuration.
Step 3— Setting up Nginx
once again certbot makes our work easier.
It automatically work with nginx , but it needs to be able to find the correct
server block in your config. It does this by looking for a
server_name directive that matches the domain you're requesting a certificate for.
open config file with Text-Editor , I preferred nano.
sudo nano /etc/nginx/sites-available/default
Find the existing
server_name line and replace the underscore,
_, with your domain name:
. . .
server_name example.com www.example.com;
. . .
Save the file and quit your editor.
Then, verify the syntax of your configuration edits.
sudo nginx -t
If you get any errors, reopen the file and check for typos, then test it again.
Once your configuration’s syntax is correct, reload Nginx to load the new configuration.
sudo systemctl reload nginx
Certbot will now be able to find the correct
server block and update it. Next, we'll update our firewall to allow HTTPS traffic.
Step 4— Allowing HTTPS-443 Through the Firewall
we have already covered this while installing Nginx from the prerequisite section. Just make sure you allowed “Nginx Full” from UFW.
$ sudo ufw status
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
we’re now ready to fetch the certificates.
Step 5— Obtaining an SSL Certificate
sudo certbot — nginx -d example.com -d www.example.com
Note: Replace your domain name with example.com
If that’s successful,
certbot will ask how you'd like to configure your HTTPS settings.
OutputPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit
ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings.
certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2017-10-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using
https:// and notice your browser's security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.