How to issue a SSL with Let’s Encrypt for NGiNX on Ubuntu 20.04

Posted on by HETNiX Publishing Team

The Let’s Encrypt CA provides few ways to generate and install SSL certificates on your website.
In this particular tutorial, we will see how to issue a TLS/SSL Certificate for your domain, using the Certbot tool for NGiNX on an Ubuntu 20.04 environment.

First of all, you’ll need a domain name (domain.com for example). Make sure that your domain is pointing towards your server (has an A or AAAA record with the server’s IP address) for both the root domain and the www subdomain (if needed).

Then, make sure you have nginx installed and the domain.com has a server block aleady configured in your nginx’s sites-available directory and you create a symlink to sites-enabled.


For example:

sudo ln -s /etc/nginx/sites-available/domain.com /etc/nginx/sites-enabled/

/etc/nginx/sites-available/domain.com contents shoud look like this:

server {
        listen 80;
        listen [::]:80;

        root /var/www/domain.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name domain.com www.domain.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

Login to your server as root and install certbot and certbot nginx plugin as follows:

apt install certbot python3-certbot-nginx

It is very important that certbot-nginx utility finds a “server_name” directive in your nginx domain configuration, as shown above, otherwise the process may fail. So, make sure you have that in your file.

If you are running a firewall, such as IPTables or UFW, make sure you allow HTTPS traffic.

For iptables:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

For ufw:

ufw allow 'Nginx Full'

Then, we can proceed to obtain the SSL Certificate.
To issue a SSL with the Certbot Nginx plugin, we will need to add the –nginx directive to the certbot as follows:

certbot --nginx -d domain.com -d www.domain.com

This will run the certbot with nginx add-on, for the domain we specified with the -d option, for wich the certificate to be issued.

If you are running certbot for the first time, you will be asked to provide an email address and agree with the ToS. After that, certbot will start a session with the Let’s Encrypt servers, then run a challenge to make sure you actually control the domain you’re issuing a certificate for.

If succeeded, certbot will prompt you about how you would like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your desired option then press ENTER. Certbot will then update the config and reload nginx daemon with the new settings.

After that, you can access https://<domain>.com and enjoy a TLS/SSL Secure session via a Let’s Encrypt Certificate.