In this tutorial, we will show you how to install Let’s Encrypt SSL with Nginx on Ubuntu 16.04 LTS. For those of you who didn’t know, LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo
‘ to the commands to get root privileges. I will show you the step-by-step installation Let’s Encrypt SSL with Nginx on a Ubuntu 16.04 LTS (Xenial Xerus) server.
Prerequisites
- A server running one of the following operating systems: Ubuntu 16.04 LTS (Xenial Xerus).
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo user
or access to theroot user
. We recommend acting as anon-root sudo user
, however, as you can harm your system if you’re not careful when acting as the root.
Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get
commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Installing Let’s Encrypt SSL on Ubuntu 16.04.
The first step is to install certbot, the software client which will automate almost everything in the process:
add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
You will also need to have Nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:
apt-get install nginx systemctl start nginx
The first step to installing let’s encrypt SSL on Ubuntu Linux is to add a simple configuration inside your Nginx server block configuration. Add this line to your server block configuration:
location ~ /.well-known { allow all; }
Save and exit to apply changes:
### nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx:
systemctl restart nginx
Obtaining a certificate with Certbot:
Run the command as you see below, replace “idroot.us” with your real domain name and /var/www/idroot.us with your real webroot path:
certbot certonly -a webroot --webroot-path=/var/www/idroot.us -d idroot.us -d www.idroot.us
Result:
[root@idroot.us:~]certbot certonly -a webroot --webroot-path=/var/www/idroot.us -d idroot.us -d www.idroot.us Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for idroot.us Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/idroot.us/fullchain.pem. Your cert will expire on 2017-07-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@idroot.us:~]
Step 3. Configure SSL/TLS on the NGINX web server.
First, edit the server block file you specified during configuration through Certbot and add these three directives:
listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/idroot.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/idroot.us/privkey.pem;
The full Nginx server block configuration may look like this:
server { listen 80; server_name idroot.us www.idroot.us; rewrite ^(.*) https://idroot.us$1 permanent; } server { access_log off; log_not_found off; error_log logs/idroot.us-error_log warn; server_name idroot.us; root /var/www/idroot.us; index index.php index.html index.htm; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/idroot.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/idroot.us/privkey.pem; ## Stuff required by certbot location ~ /.well-known { allow all; } ## SSL ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; access_log /var/www/idroot.us/logs/access.log; error_log /var/www/idroot.us/logs/error.log; # php-script handler location ~ \.php$ { fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_read_timeout 150; root /var/www/idroid.us/public_html; fastcgi_param SCRIPT_FILENAME /var/www/idroot.us$fastcgi_script_name; include /etc/nginx/fastcgi_params; } location ~ /\.ht { deny all; } }
Save and close the file when you are finished.
Step 5. Set Up Let’s Encrypt SSL Auto-Renewal.
We will add a cronjob to run the renewal command every week, run this command:
export VISUAL=nano; crontab -e
Paste the following lines:
01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log 06 1 * * 0 /usr/bin/systemctl nginx reload
Save and Exit from the crontab table.
This will create a new cron job that will be executed every Sunday at 01 AM, and then it will reload the Nginx webserver to apply the changes. The output will be logged into /var/log/ssl-renew.log
file for further analysis if needed.
Congratulations! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you check the official Let’s Encrypt website.