Share your love
Secure Nginx with Let’s Encrypt on Ubuntu 22.04
In this article from the Linux Tutorials, we intend to teach you to Secure Nginx with Let’s Encrypt on Ubuntu 22.04.
Let’s Encrypt is a free, open, and automated certificate authority (CA) provided as a service by the Internet Security Research Group (ISRG).
Let’s Encrypt is designed to simplify the acquisition of SSL/TLS digital certificates proving a site’s authenticity, while also providing encryption. Its automated processes will also help reduce page errors due to out-of-date certificates.
what you read in this post?
Steps To Secure Nginx with Let’s Encrypt on Ubuntu 22.04
To secure Nginx with Let’s encrypt, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide the Initial Server Setup with Ubuntu 22.04.
Also, you need to have the Nginx web server installed on your Ubuntu 22.04. To do this, you can check our guide on How To Install Nginx on Ubuntu 22.04.
And you need to have a fully registered domain name that points to your server IP address.
Certbot Nginx on Ubuntu 22.04
To install certbot, it’s recommended to use their snap packages for installation.
Ubuntu 22.04 comes with support for snaps out of the box, so you can start by making sure your snapd core is up to date with the command below:
sudo snap install core; sudo snap refresh core
Note: If you have an older version of certbot installed on your server, you need to remove it first with the following command:
sudo apt remove certbot
Then, install the certbot package:
sudo snap install --classic certbot
Next, you can link the certbot command from the snap install directory to your path, so you’ll be able to run it by just typing certbot.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
At this point, you should check the Nginx configuration file on Ubuntu 22.04 and check that the server name points to your domain name. Open the file with your favorite text editor, here we use vi:
sudo vi /etc/nginx/sites-available/example.comFind the server_name line and it should look like this:
... server_name example.com www.example.com; ...
When you are done, save and close the file.
Verify your Nginx configuration edits on Ubuntu 22.04 with the following command:
sudo nginx -t
In your output you will see:
Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulThen, reload Nginx to apply the new changes:
sudo systemctl reload nginx
At this point, you should allow HTTPS through the firewall to secure your Nginx on Ubuntu 22.04. First, check your firewall status with the following command:
sudo ufw status
In your output you will see:
Output
Status: active
To Action From
-- ------ ----
Nginx HTTP ALLOW Anywhere
OpenSSH ALLOW Anywhere
Nginx HTTP (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)You should allow Nginx Full through the firewall and delete the Nginx HTTP with the following commands on Ubuntu 22.04:
$ sudo ufw allow 'Nginx Full' $ sudo ufw delete allow 'Nginx HTTP'
Now you can start to run certbot and get your SSL certificate.
Get an SSL certificate with Let’s Encrypt on Ubuntu 22.04
Certbot provides different ways to get SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary on Ubuntu 22.04. To use this plugin, run the following command:
sudo certbot --nginx -d example.com The above command will use for a single domain if you have multiple domains you can use the following command:
sudo certbot --nginx -d example.com -d www.example.com
You will be asked some questions. The first is to enter your email address and agree to the terms of service. Then, you will be asked if Would you be willing to share your email address with the Electronic Frontier Foundation. Answer it by your choice. Also, certbot will ask you how you’d like to configure your HTTPS settings. Select your choice and hit enter.
in your output you will see:
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2022-03-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Here your SSL certificates are downloaded, installed, and loaded. Your Nginx is secured with Let’s Encrypt on Ubuntu 22.04. Now you can load your website by https:// and notice your browser’s security indicator.
Also, you can use the SSL Labs Servers Test to get an A grade.
As you know Let’s Encrypt certificates are valid for 90 days. Because of this, you can renew your process.
The certbot package takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with the following command:
sudo systemctl status snap.certbot.renew.service
Output
○ snap.certbot.renew.service - Service for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timerNow you can test the renewal process with certbot:
sudo certbot renew --dry-run
If you don’t see any errors, means that everything is ok.
Conclusion
At this point, you learn to secure your Nginx with Let’s Encrypt on Ubuntu 22.04.
Hope you enjoy it.
You may be interested in these articles:
