LinuxTutorialsUbuntu

How To Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS

Install Let's Encrypt SSL With Nginx on Ubuntu 16.04 LTS

In this tutorial, we will show you how to install Let’s Encrypt SSL with Nginx on Ubuntu 16.04 LTS. For those of you who didn’t know, LetsEncrypt is a free open certificate authority (CA) that provides free certificates for websites and other services. The service, is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai. Unfortunately, LetsEncrypt.org certificates currently have a 3 month lifetime. This means you’ll need to renew your certificate quarterly for now.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation Let’s Encrypt SSL with Nginx on a Ubuntu 16.04 LTS (Xenial Xerus) server.

Prerequisites

  • A server running one of the following operating systems: Ubuntu 16.04 LTS (Xenial Xerus).
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install Let’s Encrypt SSL With Nginx on Ubuntu 16.04 LTS

Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get commands in the terminal.

sudo apt-get update
sudo apt-get upgrade

Step 2. Installing Let’s Encrypt SSL on Ubuntu 16.04.

The first step is to install certbot, the software client which will automate almost everything in the process:

add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

You will also need to have Nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed:

apt-get install nginx
systemctl start nginx

The first step to installing let’s encrypt SSL on Ubuntu Linux is to add a simple configuration inside your Nginx server block configuration. Add this line to your server block configuration:

  location ~ /.well-known {
  allow all;
  }

Save and exit to apply changes:

### nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx:

systemctl restart nginx

Obtaining a certificate with Certbot:

Run the command as you see below, replace “idroot.us” with your real domain name and /var/www/idroot.us with your real webroot path:

certbot certonly -a webroot --webroot-path=/var/www/idroot.us -d idroot.us -d www.idroot.us

Result:

[root@idroot.us:~]certbot certonly -a webroot --webroot-path=/var/www/idroot.us -d idroot.us -d www.idroot.us
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for idroot.us
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/idroot.us/fullchain.pem. Your cert
   will expire on 2017-07-16. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
[root@idroot.us:~]

Step 3. Configure SSL/TLS on the NGINX web server.

First, edit the server block file you specified during configuration through Certbot and add these three directives:

listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/idroot.us/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/idroot.us/privkey.pem;

The full Nginx server block configuration may look like this:

server {
     listen 80;
     server_name idroot.us www.idroot.us;
     rewrite ^(.*) https://idroot.us$1 permanent;
}
server {
     access_log off;
     log_not_found off;
     error_log  logs/idroot.us-error_log warn;

    server_name  idroot.us; 
    root   /var/www/idroot.us;
    index  index.php index.html index.htm;

    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/idroot.us/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/idroot.us/privkey.pem;

  ## Stuff required by certbot
     location ~ /.well-known {
     allow all;
     }

  ## SSL
   ssl_session_cache shared:SSL:20m;
   ssl_session_timeout 10m;

   ssl_prefer_server_ciphers On;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

   ssl_stapling on;
   ssl_stapling_verify on;
   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 10s;

   access_log /var/www/idroot.us/logs/access.log;
   error_log /var/www/idroot.us/logs/error.log;

   # php-script handler
   location ~ \.php$ {
      fastcgi_index index.php;
      fastcgi_pass 127.0.0.1:9000;       fastcgi_read_timeout 150;
      root    /var/www/idroid.us/public_html;
      fastcgi_param SCRIPT_FILENAME /var/www/idroot.us$fastcgi_script_name;
      include /etc/nginx/fastcgi_params;
   }
 location  ~ /\.ht {
               deny  all;
           }
    }

Save and close the file when you are finished.

Step 5. Set Up Let’s Encrypt SSL Auto-Renewal.

We will add a cronjob to run the renewal command every week, run this command:

export VISUAL=nano; crontab -e

Paste the following lines:

01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log 
06 1 * * 0 /usr/bin/systemctl nginx reload

Save and Exit from the crontab table.

This will create a new cron job that will be executed every Sunday at 01 AM, and then it will reload the Nginx webserver to apply the changes. The output will be logged into /var/log/ssl-renew.log file for further analysis if needed.

Congratulations! You have successfully installed Let’s Encrypt. Thanks for using this tutorial for installing Let’s Encrypt SSL on Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you check the official Let’s Encrypt website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

Save

Save

Save

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button