Arch Linux BasedManjaro

How To Securing Nginx on Manjaro with Let’s Encrypt SSL

r00t

Securing Nginx on Manjaro with Let's Encrypt SSL

In today’s digital landscape, website security is not optional—it’s essential. Implementing HTTPS on your web server protects your users’ data, improves your site’s search engine rankings, and builds trust with your visitors. For Manjaro Linux users running Nginx, Let’s Encrypt offers a free, automated way to secure your websites with trusted SSL/TLS certificates. This comprehensive guide will walk you through the entire process of securing your Nginx server on Manjaro with Let’s Encrypt SSL certificates.

Introduction

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols designed to provide secure communication over a computer network. When implemented on a web server, these protocols encrypt the data transmitted between the server and clients, preventing potential eavesdropping and man-in-the-middle attacks.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that has revolutionized website security by removing the financial and technical barriers to implementing SSL/TLS. Since its inception, Let’s Encrypt has made it significantly easier for website administrators to secure their sites without the complexity and cost associated with traditional certificate authorities.

Nginx (pronounced “engine-x”) is a powerful, lightweight web server and reverse proxy that excels at handling high-traffic websites. Its efficiency and flexibility make it a popular choice among developers and system administrators on various Linux distributions, including Manjaro.

Prerequisites

Before diving into the SSL implementation process, ensure you have the following prerequisites in place:

System Requirements

To follow this guide successfully, you’ll need:

  • A Manjaro Linux installation (up-to-date)
  • Root or sudo privileges on your system
  • Basic knowledge of terminal commands
  • Familiarity with text editors like nano or vim

Domain Requirements

For Let’s Encrypt to issue a valid SSL certificate, you must have:

  • A registered domain name (purchased from a domain registrar)
  • Proper DNS configuration with A records pointing to your server’s IP address
  • The ability to verify domain ownership through HTTP validation

Network Configuration

Your server should have:

  • Port 80 (HTTP) and 443 (HTTPS) open and accessible from the internet
  • Proper firewall rules allowing traffic on these ports
  • A static IP address or dynamic DNS solution if your IP changes frequently

Installing Nginx on Manjaro

Manjaro, being based on Arch Linux, uses the pacman package manager for software installation. Let’s start by installing and configuring Nginx.

Package Installation

First, update your system packages and install Nginx:

sudo pacman -Syu
sudo pacman -S nginx

This will install the latest version of Nginx available in the Manjaro repositories.

Initial Configuration

After installation, it’s recommended to set up a proper site directory structure:

sudo mkdir -p /etc/nginx/sites-available
sudo mkdir -p /etc/nginx/sites-enabled

Now, modify the main Nginx configuration file to include the sites-enabled directory:

sudo nano /etc/nginx/nginx.conf

Add the following line inside the http block:

include sites-enabled/*;

Save and exit the editor.

Next, create a basic server block configuration:

sudo nano /etc/nginx/sites-available/yourdomain.conf

Replace “yourdomain” with your actual domain name. Add the following basic configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;

    root /var/www/yourdomain;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Create a symbolic link to enable this configuration:

sudo ln -s /etc/nginx/sites-available/yourdomain.conf /etc/nginx/sites-enabled/

Finally, start and enable the Nginx service:

sudo systemctl start nginx
sudo systemctl enable nginx

Test your configuration with:

sudo nginx -t

If all is well, reload Nginx:

sudo systemctl reload nginx

Installing Certbot on Manjaro

Certbot is the official Let’s Encrypt client that simplifies the process of obtaining and renewing SSL certificates. Since Manjaro is based on Arch Linux, we’ll use the Arch package repositories to install Certbot.

Installing Certbot Package

Install Certbot and the Nginx plugin using pacman:

sudo pacman -S certbot certbot-nginx

This command installs both the Certbot client and the Nginx plugin, which will automate much of the certificate installation process.

Nginx Plugin Installation

The certbot-nginx plugin allows Certbot to automatically modify your Nginx configuration to use the newly obtained certificates. The plugin handles the configuration of SSL parameters, server blocks, and redirects, making the process much simpler.

If for some reason the plugin wasn’t installed with the previous command, you can install it separately:

sudo pacman -S python-certbot-nginx

Verify the installation by running:

certbot --version

This should display the installed version of Certbot, confirming a successful installation.

Obtaining Your First SSL Certificate

With Nginx and Certbot properly installed, we can now obtain our first SSL certificate from Let’s Encrypt.

Certificate Acquisition Methods

Certbot offers several methods to obtain and validate certificates. The most common methods are:

  1. Webroot method: Uses your existing web server to verify domain ownership
  2. Standalone method: Temporarily starts its own web server for verification
  3. Nginx plugin method: Automatically configures Nginx and obtains certificates

For this guide, we’ll use the Nginx plugin method as it’s the simplest approach.

Generating Certificates

Before running Certbot, ensure that your domain is properly configured in Nginx and that your server is accessible on port 80 from the internet. Let’s Encrypt will need to access your server during the validation process.

To obtain a certificate using the Nginx plugin, run:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace “yourdomain.com” with your actual domain name. Including both the root domain and the www subdomain ensures that both versions of your site are secured.

During the process, Certbot will:

  • Ask for your email address (for renewal notifications)
  • Request acceptance of the terms of service
  • Prompt about sharing your email with the EFF (optional)
  • Ask whether to redirect HTTP traffic to HTTPS

Certificate Verification

After the certificate is issued, Certbot will modify your Nginx configuration to use the new certificates and optionally set up HTTP to HTTPS redirection.

The certificates will be stored in /etc/letsencrypt/live/yourdomain.com/, containing the following files:

  • fullchain.pem: The certificate plus the chain of trust
  • privkey.pem: The private key for your certificate
  • cert.pem: Your certificate only
  • chain.pem: The chain of trust certificates only

You can verify the certificate’s existence with:

sudo ls -la /etc/letsencrypt/live/yourdomain.com/

Configuring Nginx with SSL

After obtaining your certificates, Certbot should have automatically configured Nginx to use SSL. However, it’s good to understand what changes were made and how to optimize the configuration.

Basic SSL Configuration

Certbot typically adds configuration like this to your server block:

server {
    listen 443 ssl;
    server_name yourdomain.com;
    
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
}

You can check your updated configuration in:

sudo nano /etc/nginx/sites-enabled/yourdomain.conf

Setting up Strong Encryption

To enhance your SSL security, add the following parameters to your server block:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

This configuration disables older, less secure protocols (like TLSv1 and TLSv1.1) and uses strong cipher suites.

Generating Diffie-Hellman Parameters

To protect against the Logjam attack, generate strong Diffie-Hellman parameters:

sudo mkdir -p /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048

Then add the following to your SSL configuration:

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

Note that generating DH parameters with a high bit length may take some time, so be patient.

HTTP to HTTPS Redirection

To ensure all traffic uses HTTPS, configure a permanent redirect from HTTP to HTTPS:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    
    location / {
        return 301 https://$host$request_uri;
    }
    
    # Keep this for Let's Encrypt renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

This configuration redirects all HTTP traffic to HTTPS while maintaining access to the .well-known directory for certificate renewals.

Implementing Advanced Security Features

Beyond basic SSL implementation, additional security headers can significantly enhance your website’s protection against various attacks.

Security Headers Implementation

Add these headers to your HTTPS server block to improve security:

# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;

# XSS Protection
add_header X-XSS-Protection "1; mode=block" always;

# Prevent content type sniffing
add_header X-Content-Type-Options "nosniff" always;

# Content Security Policy
add_header Content-Security-Policy "default-src 'self';" always;

HTTP Strict Transport Security (HSTS) ensures that browsers always use HTTPS for your domain, even if a user initially tries to access it via HTTP. This protection lasts for the duration specified in the max-age parameter (one year in this example).

SSL Session Configuration

Optimize SSL session handling for better performance:

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

These settings improve the performance of SSL handshakes, reducing the load on your server and improving page load times for returning visitors.

Testing Your SSL Configuration

After implementing all the security enhancements, it’s crucial to test your configuration thoroughly.

Browser Testing

Open your website in different browsers to verify that:

  • The padlock icon appears in the address bar
  • No mixed content warnings are displayed
  • Certificate information is correct when clicking on the padlock icon

Using SSL Testing Tools

Several online tools can help you assess your SSL implementation:

  1. SSL Labs Server Test: Visit SSL Labs and enter your domain. This comprehensive test evaluates your SSL configuration and grades it from A+ to F.
  2. Mozilla Observatory: This tool checks not only your SSL configuration but also other security headers and best practices.
  3. ImmuniWeb SSL Security Test: Another useful tool for testing your SSL implementation.

Common Issues and Fixes

When testing, you might encounter these common issues:

  • Mixed Content Warnings: These occur when your HTTPS page loads resources (images, scripts, etc.) over HTTP. Fix by ensuring all resources use HTTPS.
  • Invalid Certificate Errors: Usually caused by misconfiguration or domain name mismatches. Verify that your certificate covers all domains you’re serving.
  • Chain Certificate Problems: Ensure your fullchain.pem file is properly referenced in your Nginx configuration.

Automating Certificate Renewal

Let’s Encrypt certificates are valid for only 90 days, making automated renewal essential.

Understanding Certificate Lifetimes

Let’s Encrypt’s short certificate validity period (90 days) is a security feature that:

  • Limits damage from key compromise or mis-issuance
  • Encourages automation of the renewal process
  • Ensures regular updates to cryptographic best practices

Setting Up Automated Renewal

Certbot automatically installs a renewal service (systemd timer or cron job) during installation. To check if it’s properly set up, run:

sudo systemctl list-timers | grep certbot

You should see a timer scheduled to run twice daily (though certificates are only renewed when they’re within 30 days of expiration).

If you need to set up the renewal manually, create a systemd timer:

sudo nano /etc/systemd/system/certbot-renewal.timer

Add the following:

[Unit]
Description=Timer for Let's Encrypt renewal

[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

Then create the service:

sudo nano /etc/systemd/system/certbot-renewal.service

Add:

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

[Install]
WantedBy=multi-user.target

Enable and start the timer:

sudo systemctl enable certbot-renewal.timer
sudo systemctl start certbot-renewal.timer

Testing the Renewal Process

Test the renewal process with a dry run:

sudo certbot renew --dry-run

This command simulates the renewal process without actually modifying any certificates, allowing you to verify that everything is configured correctly.

Troubleshooting Common Issues

Even with careful setup, you might encounter SSL-related issues. Here are solutions to common problems.

Certificate Issuance Problems

If you encounter problems obtaining certificates:

  • Rate Limiting Issues: Let’s Encrypt imposes rate limits to prevent abuse. Wait before trying again or use staging servers for testing.
  • Domain Validation Failures: Ensure your domain points to your server and that ports 80/443 are accessible from the internet.
  • Authorization Errors: Check that your webroot path is correct and accessible by the webserver.

Nginx Configuration Errors

Common Nginx SSL configuration issues include:

  • Syntax Problems: Use nginx -t to check configuration syntax before reloading.
  • Path Incorrectness: Ensure certificate paths in your configuration match actual file locations.
  • Permission Issues: Verify that Nginx has read access to certificate files.

Renewal Failures

If certificate renewal fails:

  • Process Issues: Ensure the renewal process is running correctly.
  • Log Checking: Review logs at /var/log/letsencrypt/ for error details.
  • Configuration Changes: If you’ve modified your Nginx configuration since initial setup, make sure your changes don’t interfere with the renewal process.

A common issue is when Nginx doesn’t fully reload after renewal. If this happens, force a complete restart:

sudo systemctl restart nginx

rather than just reloading.

Congratulations! You have successfully secured Nginx. Thanks for using this tutorial to securing Nginx on Manjaro with Let’s Encrypt SSL. For additional help or useful information, we recommend you check the official Nginx website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button