How to Secure Nginx with Let’s Encrypt on Ubuntu? Security

How to Secure Nginx with Let’s Encrypt on Ubuntu?

Let’s Encrypt is a Certificate Authority (CA) that provides a free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. The process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

The following steps describe how to configure Let’s Encrypt SSL for Nginx

We need to ensure proper DNS records are setup for the server so that automatic installation can obtain the SSL. An A record with & pointed to our server’s public IP address.

Install the Certbot software on the server to use Let’s Encrypt to obtain the SSL certificate

The next step is to add the repo using the following command

$ sudo add-apt-repository ppa:certbot/certbot

Install Certbot’sNginx package

$ sudo apt install python-certbot-nginx

The next step is to confirm Nginx is properly configured so that the SSL is installed automatically.

$ sudonano /etc/nginx/sites-available/


If the above entry exist, exit your editor and move on to the next step.

Verify the syntax of your configuration edits:

$ sudonginx –t

Reopen the server block file and check for any typos or missing characters if you see an error. Reload Nginx to load the new configuration

$ sudosystemctl reload nginx

Certbot can now find the correct server block and update it.

If you have ufw enabled in your server please follow below steps to allow https request from external network.

$ sudoufw status


Status: active

To                         Action      From

—                         ——      —-

OpenSSH                    ALLOW       Anywhere

Nginx HTTP                 ALLOW       Anywhere

OpenSSH (v6)               ALLOW Anywhere (v6)

Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Please execute below commands to allow Nginx https traffic through ufw.

$ sudoufw allow ‘Nginx Full’

$ sudoufw delete allow ‘Nginx HTTP’

The Nginx plugin will take care of reconfiguring Nginx and reloading the configuration whenever necessary. To use this plugin, type the following:

$ sudocertbot –nginx -d -d


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you’re confident your site works on HTTPS. You can undo thischange by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

Select enter



– Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/

Your key file has been saved at:


Your cert will expire on 2018-07-23. To obtain a new or tweaked               

version of this certificate in the future, simply run certbot again

with the “certonly” option. To non-interactively renew *all* of

your certificates, run “certbot renew”

– Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now.

This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:

Donating to EFF:          

The Certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration. The SSL certificate is valid for 90 days.

you can do a dry run with Certbot to test the renewal process

$ sudocertbot renew –dry-run

If you see no errors, you’re all set.

At Velan, our server support engineers can help you securing Nginx with Let’s Encrypt SSL. We troubleshoot problems like these for our clients every day. If you are interested in our service, please fill the Quick connect form to get in touch with us


Quick Connect With Us