Table of Contents
Securing Nginx with Let’s Encrypt involves obtaining an SSL/TLS certificate from Let’s Encrypt and configuring Nginx to use the certificate for secure HTTPS connections. Here’s a step-by-step guide:
1. Install Certbot:
Certbot is a tool for automatically obtaining and renewing Let’s Encrypt SSL/TLS certificates.
sudo apt update sudo apt install certbot
2. Obtain a Certificate:
Run Certbot to obtain a certificate for your domain. Replace <your_domain>
with your actual domain:
sudo certbot --nginx -d <your_domain>
Follow the on-screen instructions to choose whether to redirect HTTP traffic to HTTPS and provide an email address for renewal notices.
3. Verify Automatic Renewal:
Let’s Encrypt certificates expire after 90 days. Certbot provides a cron job for automatic renewal. To test automatic renewal, run:
sudo certbot renew --dry-run
If this runs without errors, automatic renewal is set up correctly.
4. Nginx Configuration:
Certbot automatically updates your Nginx configuration to use the newly obtained certificates. You can find the configuration in /etc/nginx/sites-available/default
or a similar location.
Ensure that your Nginx server block includes the SSL certificate paths:
server { listen 80; server_name <your_domain>; location / { return 301 https://$host$request_uri; } # Additional Configuration for HTTP to HTTPS Redirect } server { listen 443 ssl; server_name <your_domain>; ssl_certificate /etc/letsencrypt/live/<your_domain>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<your_domain>/privkey.pem; # Additional SSL Configuration }
5. Test SSL Configuration:
Restart Nginx to apply the changes:
sudo systemctl restart nginx
Visit your website using https://<your_domain>
in a web browser. Ensure that the connection is secure and the certificate is valid.
6. Configure HTTP to HTTPS Redirect (Optional):
If you didn’t enable automatic redirection during the Certbot setup, you can manually configure it. Edit your Nginx configuration:
server { listen 80; server_name <your_domain>; location / { return 301 https://$host$request_uri; } # Additional Configuration for HTTP to HTTPS Redirect }
Restart Nginx:
sudo systemctl restart nginx
7. Adjust Firewall Settings (if applicable):
If you’re using a firewall, ensure that it allows traffic on ports 80 and 443.
8. Periodic Certificate Renewal:
Let’s Encrypt certificates expire after 90 days. Certbot’s automatic renewal cron job will handle this, but it’s a good idea to periodically check the status:
sudo certbot renew --dry-run
This command will simulate the renewal process.
By following these steps, you can secure your Nginx web server with a Let’s Encrypt SSL/TLS certificate. Adjust the configurations based on your specific Nginx setup and domain settings.