FedoraRHEL Based

How To Install Nginx with Let’s Encrypt SSL on Fedora 43

r00t
7 minutes read

Install Nginx with Let’s Encrypt SSL on Fedora 43

Securing your website with HTTPS is no longer optional—it’s essential. Search engines prioritize secure sites, and visitors expect to see that padlock icon in their browser’s address bar. Nginx stands as one of the most powerful, lightweight web servers available, and when combined with Let’s Encrypt’s free SSL certificates, you get enterprise-level security without the enterprise price tag. This comprehensive guide walks you through every step of installing Nginx on Fedora 43 and securing it with automated SSL certificates from Let’s Encrypt using Certbot.

Let’s Encrypt revolutionized web security by providing free, automated SSL/TLS certificates that anyone can use. Gone are the days of paying hundreds of dollars annually for SSL certificates or dealing with complicated manual renewal processes. With Certbot, the official Let’s Encrypt client, you can obtain and configure certificates in minutes, and the entire renewal process happens automatically in the background.

By the end of this tutorial, you’ll have a fully functional Nginx web server running on Fedora 43 with HTTPS enabled, automatic certificate renewal configured, and a solid foundation for hosting secure web applications.

Prerequisites

Before diving into the installation process, ensure you have the following requirements in place:

  • A server running Fedora 43 with root or sudo access
  • A registered domain name pointing to your server’s public IP address
  • Ports 80 (HTTP) and 443 (HTTPS) open and accessible from the internet
  • SSH access to your server
  • At least 1GB of RAM for optimal performance
  • Basic familiarity with Linux command-line operations

Domain name configuration is crucial. Let’s Encrypt verifies domain ownership before issuing certificates, so your DNS records must be properly configured and fully propagated before proceeding.

Update Your Fedora System

Starting with a fully updated system prevents compatibility issues and ensures you have the latest security patches. Open your terminal and run:

sudo dnf upgrade --refresh

This command refreshes the package repository metadata and upgrades all installed packages to their latest versions. The process typically takes a few minutes depending on your internet connection and the number of packages requiring updates. If a kernel update is included, you’ll need to reboot your server afterward.

Verify the update completed successfully by checking your Fedora version:

cat /etc/fedora-release

Install Nginx Web Server

Fedora’s default repositories include Nginx, making installation straightforward. Install Nginx using the DNF package manager:

sudo dnf install nginx -y

The -y flag automatically confirms the installation, eliminating the need to manually approve the process. DNF handles all dependencies automatically, ensuring everything Nginx needs gets installed simultaneously.

Once installation completes, start the Nginx service:

sudo systemctl start nginx

Enable Nginx to launch automatically at system boot:

sudo systemctl enable nginx

Verify that Nginx is running properly:

sudo systemctl status nginx

You should see an “active (running)” status in green. Check the installed Nginx version:

nginx -v

Nginx stores its configuration files in /etc/nginx/, with the main configuration file located at /etc/nginx/nginx.conf. Understanding this directory structure becomes important when configuring virtual hosts later.

Configure Firewall Rules

Fedora 43 uses firewalld by default to manage firewall rules. Web traffic requires specific ports to be open—port 80 for HTTP and port 443 for HTTPS.

First, verify firewalld is active:

sudo systemctl status firewalld

Add HTTP and HTTPS services to your firewall configuration:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

The --permanent flag ensures these rules persist across system reboots. Reload the firewall to apply changes:

sudo firewall-cmd --reload

Confirm the rules are active:

sudo firewall-cmd --list-all

You should see both http and https listed under services. Alternatively, if you prefer specifying port numbers directly:

sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

Test accessibility by entering your server’s IP address into a web browser. You should see the default Nginx welcome page.

Configure Nginx Server Block

Server blocks in Nginx function similarly to virtual hosts in Apache, allowing you to host multiple domains on a single server. Replace your_domain.com with your actual domain throughout these examples.

Create a directory structure for your website:

sudo mkdir -p /var/www/your_domain.com/html

Set proper ownership, replacing $USER with your username:

sudo chown -R $USER:$USER /var/www/your_domain.com/html

Set appropriate permissions:

sudo chmod -R 755 /var/www/your_domain.com

Create a simple test page:

nano /var/www/your_domain.com/html/index.html

Add this content:

<!DOCTYPE html>
<html>
<head>
    <title>Welcome to Your Domain</title>
</head>
<body>
    <h1>Success! Your Nginx server block is working!</h1>
</body>
</html>

Now create the server block configuration file:

sudo nano /etc/nginx/conf.d/your_domain.com.conf

Add this configuration:

server {
    listen 80;
    listen [::]:80;
    
    server_name your_domain.com www.your_domain.com;
    
    root /var/www/your_domain.com/html;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

This configuration tells Nginx to listen on port 80 for requests to your domain and serve files from your specified document root. Test the configuration syntax:

sudo nginx -t

If the test returns “syntax is okay” and “test is successful,” reload Nginx:

sudo systemctl reload nginx

Visit your domain in a browser. Your test page should display correctly.

Install Certbot and Nginx Plugin

Certbot serves as the official client for obtaining Let’s Encrypt certificates. The Nginx plugin allows Certbot to automatically configure your server blocks for SSL.

Install the EPEL repository, which provides additional packages not included in Fedora’s default repositories:

sudo dnf install epel-release -y

Install Certbot with the Nginx plugin:

sudo dnf install certbot python3-certbot-nginx -y

The Nginx plugin is essential because it automates the SSL configuration process, modifying your Nginx server blocks to include proper SSL directives. Verify the installation:

certbot --version

Obtain SSL Certificate with Certbot

Before running Certbot, ensure your server_name directive in the Nginx configuration exactly matches your domain name. Certbot reads this directive to determine which domains to secure.

Run Certbot with the Nginx plugin:

sudo certbot --nginx -d your_domain.com -d www.your_domain.com

Certbot will guide you through several prompts:

  1. Email Address: Provide a valid email for urgent renewal and security notices
  2. Terms of Service: Read and agree to Let’s Encrypt’s terms
  3. EFF Communications: Optionally share your email with the Electronic Frontier Foundation
  4. HTTPS Redirect: Choose whether to redirect all HTTP traffic to HTTPS (recommended)

During the process, Certbot performs an HTTP-01 challenge to verify you control the domain. It temporarily creates files in your web root that Let’s Encrypt’s servers request to confirm ownership.

Upon success, Certbot installs certificates in /etc/letsencrypt/live/your_domain.com/:

  • fullchain.pem: Your certificate plus the intermediate certificate
  • privkey.pem: Your private key
  • cert.pem: Your certificate only
  • chain.pem: The intermediate certificate only

Certbot also creates shared configuration files:

  • /etc/letsencrypt/options-ssl-nginx.conf: Secure SSL settings
  • /etc/letsencrypt/ssl-dhparams.pem: Diffie-Hellman parameters

The tool automatically modifies your server block, adding SSL configuration directives and creating a redirect from HTTP to HTTPS. Let’s Encrypt certificates are valid for 90 days, emphasizing the importance of automatic renewal.

Verify SSL Configuration

Open your browser and navigate to https://your_domain.com. You should see the padlock icon indicating a secure connection. Click the padlock to view certificate details and confirm it was issued by Let’s Encrypt.

Use curl to verify SSL from the command line:

curl -I https://your_domain.com

Examine the SSL directives Certbot added:

sudo nginx -T | grep ssl_

Your modified configuration now includes:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    
    server_name your_domain.com www.your_domain.com;
    
    ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    root /var/www/your_domain.com/html;
    index index.html index.htm;
}

server {
    if ($host = www.your_domain.com) {
        return 301 https://$host$request_uri;
    }
    
    if ($host = your_domain.com) {
        return 301 https://$host$request_uri;
    }
    
    listen 80;
    listen [::]:80;
    server_name your_domain.com www.your_domain.com;
    return 404;
}

Test your SSL configuration using online tools like SSL Labs to check protocols, cipher strength, and overall security grade. A properly configured Let’s Encrypt certificate should achieve an A rating.

Configure Automatic Certificate Renewal

Let’s Encrypt certificates expire after 90 days, but Certbot handles renewal automatically. Fedora uses systemd timers to run renewal checks twice daily.

Verify the systemd timer is active:

systemctl list-timers | grep certbot

You should see certbot-renew.timer listed. Test the renewal process without making actual changes:

sudo certbot renew --dry-run

A successful dry run confirms automatic renewal will work when needed. Certbot renews certificates when they’re within 30 days of expiration.

Configure a post-renewal hook to reload Nginx after certificate renewal. Edit the renewal configuration:

sudo nano /etc/letsencrypt/renewal/your_domain.com.conf

Add this line in the [renewalparams] section:

renew_hook = systemctl reload nginx

This ensures Nginx reloads after each renewal, applying the new certificates without downtime. Monitor renewal logs at /var/log/letsencrypt/letsencrypt.log to track renewal attempts and identify issues.

Security Hardening and Best Practices

While Let’s Encrypt provides solid SSL configuration, additional hardening enhances security further. Add security headers to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

The Strict-Transport-Security header (HSTS) forces browsers to only connect via HTTPS, even if users type “http://” in the address bar. Enable HTTP/2 for improved performance by modifying the listen directive:

listen 443 ssl http2;
listen [::]:443 ssl http2;

Consider implementing rate limiting to prevent abuse:

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location / {
        limit_req zone=one burst=20;
    }
}

Keep both Nginx and Certbot updated regularly:

sudo dnf update nginx certbot python3-certbot-nginx

If SELinux is enabled on your Fedora system, ensure it allows Nginx to read certificate files. Check SELinux status:

getenforce

If enforcing, you may need to set appropriate contexts for certificate directories.

Troubleshooting Common Issues

Certificate Request Failures

If Certbot cannot verify your domain, check DNS propagation using tools like dig or online DNS checkers. Ensure your domain’s A record points to your server’s IP address.

Port 80 Blocked

Let’s Encrypt requires port 80 for domain verification. Verify your firewall allows traffic on this port and check if any other service is using it:

sudo netstat -tlnp | grep :80

Rate Limit Errors

Let’s Encrypt limits certificate issuance to prevent abuse. If you hit the limit, wait the specified period before retrying. Use the --dry-run flag for testing to avoid consuming your quota.

Nginx Configuration Errors

After Certbot modifies your configuration, syntax errors occasionally occur. Always test with sudo nginx -t before reloading.

Renewal Failures

Check /var/log/letsencrypt/letsencrypt.log for specific error messages. Common causes include incorrect file permissions, Nginx not running during renewal, or domain configuration changes.

Mixed Content Warnings

After enabling HTTPS, ensure all resources (images, scripts, stylesheets) load via HTTPS. Mixed content occurs when an HTTPS page loads HTTP resources, triggering browser warnings.

Congratulations! You have successfully installed Nginx with free SSL. Thanks for using this tutorial for installing the Nginx web server with Let’s Encrypt SSL on your Fedora 43 system. For additional help or useful information, we recommend you check the official Nginx website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
7 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button