How to secure NGINX with SSL using Let’s Encrypt

Reading Time: 2 minutes

NGINX is a widely use open source software for purpose such as load balancing, reserve proxying, web serving and many more. To enable encrypted HTTPS connections on your webservers, we will need to install SSL certificates. In this post, you will see how to secure NGINX with SSL certificate using Let’s Encrypt for free!

Let’s Encrypt is a global certificate Authority (CA) that let users obtain SSL/TLS certificates and also renew them.

This tutorial will teach you how to start from the setting up of NGINX in your linux environment to the installing of SSL certificate.

1) Install NGINX

First, lets install NGINX onto your linux machine.

sudo apt-get update 
sudo apt-get install nginx

2) Start NGINX

sudo service nginx start

To test if nginx is really running on your machine, simply open the browser and key in the IP address to see a NGINX page on the browser. Example: “http://localhost”.

3) Configure NGINX

Here is where you will create the basic configuration file for your webpage.

We will first go into the directory to create the file. Assuming that your website has a URL ‘pillar.com’.

cd /etc/nginx/sites-available/
sudo nano pillar.com.conf

Here is an example input for your file. The pillar webpage source files is placed inside “/var/www/pillar”.

server {
    listen 80;
    listen [::]:80;
    root /var/www/pillar;
    index  index.php index.html index.htm;
    server_name  pillar.com www.pillar.com;
}

After you save the file with the configurations above to link up your site, restart NGINX to check if you are able to see your site with the below commands.

sudo ln -s /etc/nginx/sites-available/pillar.com.conf /etc/nginx/sites-enabled/
sudo service nginx restart

Since everything is set, let’s move on to secure your NGINX with SSL.

4) Install Let’s Encrypt Certificates

To install, first we run the below command. This will help you to install certbot tool that will allow you to generate your certificate.

sudo apt-get install python-certbot-nginx

Lets generate a certificate for “pillar.com” with the below command. You will be prompt to key in your email and agree to their terms and conditions.

sudo certbot --nginx -d pillar.com -d www.pillar.com

Once the cert finish generating, a message similar to below will be displayed. It will tell you where your certificate and chain is saved.

Congratulations! Your certificate and chain have been saved at: 
/etc/letsencrypt/live/pillar.com/fullchain.pem 
Your key file has been saved at: 
/etc/letsencrypt/live/pillar.com/privkey.pem
Your cert will expire on XXXX-XX-XX.

5) Confirm NGINX config file updated

At this point of time, certbot would have also updated your config file. Check the file and it should add in the links of the cert.

cat /etc/nginx/sites-available/pillar.com.conf

6) Add cert automatic renewal

Edit crontab file

crontab -e

Add in the following line to run the renew process daily at 1am. It will first check if the cert will expire within the next 30days and will proceed with the renewal if the condition is fulfilled. “–quiet” is to tell it not to generate output.

0 1 * * * /usr/bin/certbot renew --quiet

Conclusion

In conclusion, we can really secure NGINX with SSL for free with Let’s Encrypt easily by following a few steps.

Usually developers will need to acquire SSL certificates from a 3rd party at a cost but now Let’s Encrypt allow sites to generate its own certificates easily without any cost.