Install Let's Encrypt Free SSL/TLS Certificates with NGINX

This blog post is about how to install let's Encrypt(Certbot) SSL/TLS certificate with nginx. The tutorial is tested on Ubuntu server 21.04.

What is SSL Certificate?

An SSL certificate stands for Secure Sockets Layer which is a digital certificate that validates server identity and encrypt internet traffic. Due to SSL certificate, it is possible to make the secure connection between server and client and securely transfer data. Any website that uses HTTPS uses the SSL certificate.

What information is provided by SSL certificate?

SSL certificates include:

1. The name of the domain that the certificate was issued for
2. The name of person, organization or device it was issued to
3. Name of certificate authority that issued the certificate
4. Digital signature of the Certificate Authority
5. Any associated subdomains
6. Date of certificate issue
7. Expiry date of certificate
8. The public key of SSL certificate

Why does website needs SSL certificate>

1. Encryption: Encryption of data
2. Authentication: SSL certificates verify that a client is talking to the correct server that actually owns the domain.
3. HTTPS: SSL certificate is needed for an HTTPS web address.

How Does Let's Encrypt work

Let's Encrypt validates the domain ownership before issuing a certificate. It runs on your server. It creates a token file which contains the required information. Let's encrypt use this token to validate the DNS record of domain.

Prerequisites

1. Nginx or Nginx plus installed in the server
2. Registered Domain
3. NS record that associates your domain name and your server’s public IP address.

Install Let's Encrypt Client

Use the following command to download the Let's Encrypt Client software

For the Ubuntu version less or equals to 18.05

    apt-get update
    sudo apt-get install certbot
    sudo apt-get install python-certbot-nginx

For the Ubuntu version later than 18.05. use the python3 version of certbot.

    apt-get update
    sudo apt-get install certbot
    sudo apt-get install python3-certbot-nginx

Configure Nginx for domain

Certbot searches for the server block in the NGINX configuration and modifies the block automatically for SSL/TLS. For this, it looks for the server name directive for the domain the certificate is required for.

In this tutorial, we will use the domain examplesite.com as example

Create a conf file named examplesite.conf file inside /etc/nginx/sites-available/ folder

    sudo nano /etc/nginx/sites-available/examplesite.conf

Update NGINX configuration

Add the following configuration. Update your server name. The IP address of server does not work with the free Let's Encrypt software. Use the domain name instead.

     server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name examplesite.com www.examplesite.com;
        access_log logs/domain1.access.log main;
    
        root /var/www/htdocs/examplesite;
      }

This is how basic nginx block looks like. The NGINX configuration may differ based on the type of application and the programming language used to code the application.

Create the symbolic link of NGINX configuration

Run the following command to create the symbolic link

    sudo ln -s /etc/nginx/sites-available/examplesite.conf /etc/nginx/sites-enabled/

Restart NGINX

Save the nginx configuration and restart the NGINX server.

    nginx -t && nginx -s reload

Obtain the SSL/TLS Certificate

Run the following command to generate certificates

    sudo certbot --nginx -d examplesite.com -d www.examplesite.com

Respond to prompts from certbot to configure your HTTPS settings. It will ask for the email address and agree to the Let’s Encrypt terms of service.

When certificate is generated successfully, NGINX reloads the new setting. Certbot will show the success message about the certificate generation and location of the certificate on the server.

    Congratulations! You have successfully enabled https://examplesite.com and https://www.examplesite.com 
    
    -------------------------------------------------------------------------------------
    IMPORTANT NOTES:
    
    Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/examplesite.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/examplesite.com/privatekey.pem
    Your cert will expire on 2022-12-10.

Note: Note: Let’s Encrypt certificates expire after 90 days on 2022-12-10. We need to automatically renew the certificate which could be done using the cron jobs.

The configuration of examplesite.cof will be modified by Certbot which will be similar as below.

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        server_name  examplesite.com www.examplesite.com;
    
        listen 443 ssl; # managed by Certbot
    
        # RSA certificate
        ssl_certificate /etc/letsencrypt/live/examplesite.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/examplesite.com/privkey.pem; # managed by Certbot
    
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    
        # Redirect non-https traffic to https
        if ($scheme != "https") {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    }

Auto renew Let's Encrypt SSL/TLS Certificates

SSL certificate will be valid for only 90 days. so, we can create a cron job to update the certificate automatically.

Open terminal to open the crontab

    crontab -e

Add the following configuration

    0 12 * * * /usr/bin/certbot renew --quiet

This commands will run at midnight each day. It will check if the certificate is valid for next 30 days. If not, it will renew the certificate. --quiet flag tells certbot to not generate any output.

Save and close the file.

After this, installed certificates will be automatically renewed and reloaded.