In today’s digital landscape, securing your website with HTTPS is no longer optional; it’s a fundamental requirement for user trust, data privacy, and even search engine optimization. An SSL/TLS certificate encrypts the communication between your server and your users’ browsers, protecting sensitive information from eavesdropping. This comprehensive guide will walk you through the process of securing your Nginx web server on an Ubuntu 24.04 system using a free SSL certificate from Let’s Encrypt, an open certificate authority provided by the Internet Security Research Group (ISRG).
By the end of this Tutorial, you will have successfully deployed an HTTPS-enabled website, ensuring that traffic to your domain is encrypted and your users can browse with confidence. We’ll leverage Certbot, the official Let’s Encrypt client, to automate the certificate issuance and renewal process, making server security straightforward for even beginners.
Prerequisites
Before you begin, ensure you have the following:
- An Ubuntu 24.04 server with root or sudo privileges.
- Nginx installed and configured to serve at least one domain.
- A registered domain name (e.g.,
your_domain.com) with an ‘A’ record pointing to your server’s public IP address. - The UFW firewall configured to allow HTTP (port 80) and HTTPS (port 443) traffic. If you haven’t configured UFW, you’ll need to do so.
Step 1: Update Your System and Install Nginx (if needed)
Before installing new software, it’s always a good practice to update your system’s package list and upgrade existing packages to their latest versions. This ensures you have the most recent security patches and software fixes.
Update Package Lists and Upgrade Software
sudo apt update
sudo apt upgrade -yInstall Nginx Web Server
If Nginx is not already installed on your server, you can install it using the following command:
sudo apt install nginx -yOnce installed, Nginx should start automatically. You can verify its status:
sudo systemctl status nginxThe output should show active (running). If not, start it with sudo systemctl start nginx.
Configure UFW Firewall
If you have UFW enabled, you need to allow Nginx traffic. Nginx registers different UFW profiles:
Nginx HTTP: Allows only port 80 (unencrypted web traffic).Nginx HTTPS: Allows only port 443 (encrypted TLS/SSL traffic).Nginx Full: Allows both port 80 and port 443.
For Let’s Encrypt, we temporarily need port 80 open for certificate validation, and permanently need port 443 open for HTTPS traffic. The Nginx Full profile is ideal.
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP' # If you previously allowed only HTTP
sudo ufw enable # If UFW is not yet enabled, confirm with 'y'Pro-tip: Always ensure your firewall rules are correctly configured. Blocking necessary ports is a common mistake that can prevent your website from being accessible or Certbot from validating your domain.
Step 2: Configure Nginx Server Block for Your Domain
Certbot needs an Nginx server block configured for your domain to correctly identify and modify it. This block should listen on port 80 and specify your domain name.
Create a New Nginx Configuration File
Create a new server block configuration file for your domain. Replace your_domain.com with your actual domain name.
sudo nano /etc/nginx/sites-available/your_domain.com.confAdd the following Basic configuration. Ensure the root directive points to your website’s document root.
server {
listen 80;
listen [::]:80;
server_name your_domain.com www.your_domain.com;
root /var/www/your_domain.com/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}Save and close the file (Ctrl+X, Y, Enter).
Create Document Root and Test Page
Create the document root directory specified in your Nginx configuration and add a simple HTML file for testing:
sudo mkdir -p /var/www/your_domain.com/html
sudo chown -R $USER:$USER /var/www/your_domain.com/html
echo "<h1>Hello from your_domain.com!</h1>" | sudo tee /var/www/your_domain.com/html/index.htmlEnable the Server Block and Test Nginx Configuration
Create a symbolic link from sites-available to sites-enabled to activate your new server block:
sudo ln -s /etc/nginx/sites-available/your_domain.com.conf /etc/nginx/sites-enabled/Test your Nginx configuration for syntax errors:
sudo nginx -tYou should see syntax is ok and test is successful. If there are errors, review your configuration file carefully.
Finally, reload Nginx to apply the changes:
sudo systemctl reload nginxYou should now be able to visit http://your_domain.com in your web browser and see your test page.
Warning: If your domain’s DNS records are not correctly pointing to your server’s IP address, Certbot will fail to validate your domain. Double-check your DNS ‘A’ records before proceeding.
Step 3: Install Certbot for Let’s Encrypt
Certbot is the tool that automates the process of obtaining and installing Let’s Encrypt SSL certificates. We’ll install it using Snap, which ensures you always get the latest version.
Install Snapd (if not already present)
sudo apt install snapd -yEnsure Snapd Core is Up-to-Date
sudo snap install core; sudo snap refresh coreInstall Certbot
Install Certbot using the snap command:
sudo snap install --classic certbotCreate a Symbolic Link for Certbot
To ensure the certbot command is available system-wide, create a symbolic link:
sudo ln -s /snap/bin/certbot /usr/bin/certbotPro-tip: Using Snap for Certbot is recommended as it handles dependencies and updates automatically, simplifying maintenance.
Step 4: Obtain and Install Your SSL Certificate
Now that Certbot is installed, you can use it to obtain and automatically configure Nginx for your SSL certificate.
Run Certbot with Nginx Plugin
Execute the following command, replacing your_domain.com with your actual domain:
sudo certbot --nginx -d your_domain.com -d www.your_domain.comCertbot will interactively guide you through the process:
- Enter an email address: This is used for urgent renewal notices and security warnings.
- Agree to the terms of service: Read them and accept to proceed.
- Share email with EFF: You can choose whether to share your email with the Electronic Frontier Foundation (EFF), who supports Let’s Encrypt.
- Choose redirection: Certbot will ask if you want to redirect HTTP traffic to HTTPS. This is highly recommended (option 2) for improved security and SEO.
If successful, Certbot will output a message indicating that the certificate was successfully deployed and will mention your certificate’s expiry date.
Example: Certbot automatically modifies your Nginx configuration file, adding the necessary listen 443 ssl; directives, SSL certificate paths, and the HTTP to HTTPS redirect. It also reloads Nginx for you.
Warning: If Certbot encounters an issue, it will provide error messages. Common issues include incorrect DNS records, firewall blocking port 80, or Nginx configuration errors. Address these issues and retry.
Step 5: Verify SSL Certificate Installation
After Certbot completes its work, it’s crucial to verify that your website is indeed secured with HTTPS.
Check in Your Browser
Open your web browser and navigate to https://your_domain.com. You should see a padlock icon in the address bar, indicating a secure connection. If you chose to redirect HTTP to HTTPS, even navigating to http://your_domain.com should automatically redirect you to the HTTPS version.
Use an Online SSL Checker
For a more in-depth verification, use an online SSL checker like SSL Labs SSL Test. Enter your domain name, and it will analyze your server’s SSL configuration, providing a grade (A+ is ideal) and detailed information about your certificate and cipher suites.
Tip: If you don’t see the padlock or experience issues, try clearing your browser’s cache or using an incognito window to rule out client-side caching problems.
Step 6: Configure Automatic Renewal
Let’s Encrypt certificates are valid for 90 days. To ensure continuous security, Certbot automatically sets up a renewal process.
Certbot’s Automatic Renewal Mechanism
When you install Certbot via Snap, it automatically creates a systemd timer (snap.certbot.renew.service) that runs twice a day to check if any installed certificates are due for renewal. If a certificate is within 30 days of expiration, Certbot will attempt to renew it.
Test the Renewal Process
You can test the renewal process without actually renewing your certificates using the dry-run option:
sudo certbot renew --dry-runIf this command completes without errors, your automatic renewal setup is working correctly.
Check the Certbot Timer Status
You can check the status of the Certbot renewal timer with:
systemctl list-timers | grep certbotThis will show you when the renewal check is scheduled to run next.
Pro-tip: Regularly performing a --dry-run, especially after major system updates or Nginx configuration changes, is a good practice to proactively identify any issues that might prevent successful automatic renewals.
You have successfully secured your Nginx web server with a Let’s Encrypt SSL certificate on Ubuntu 24.04! Your website is now serving content over HTTPS, providing a secure and trusted experience for your visitors. For further hardening, consider exploring additional Nginx security configurations, such as implementing HTTP Strict Transport Security (HSTS) or fine-tuning your cipher suites for optimal security and performance.
