In this post, I am going to explain how to obtain a free SSL certificate and install it on the Nginx server. Recently I wrote a similar post about installing SSL on the Apache2 HTTP server. You can find it here. Some steps are identical in both cases but I will repeat everything in order to create a complete tutorial here as well.
Free certificates are usually sufficient for private blogs or communication in the internal network e.g. in the microservices architecture. In other cases, I highly recommend buying a commercial certificate.
Virtual host configuration
When you have installed Nginx on your machine, create a new configuration file in /etc/nginx/sites-available directory and paste the following configuration. Remember to change root and server_name variables to corresponding with your project directory and a domain name. You do not need to configure a host for HTTPS. Certbot will do it for you.
server { listen 80; listen [::]:80; root /var/www/your_project; index index.html index.htm; server_name your-domain.com; location / { try_files $uri $uri/ =404; } }
Don’t forget to enable your new configuration and restart Nginx.
sudo ln -s /etc/nginx/sites-available/your_project.com /etc/nginx/sites-enabled/ sudo systemctl restart nginx
Obtaining a certificate
The next step is installation of the Certbot with Nginx plugin. It will make entire process much easier.
sudo add-apt-repository -y ppa:certbot/certbot sudo apt-get update sudo apt-get install -y python-certbot-nginx
Update for Ubuntu 20.04
If you are using Ubuntu 20.04, you don’t have to add an external repository. Also, you have to use certbot plugins compatible with Python3. In order to install certbot and nginx plugin just execute commands below instead of the ones above.
sudo apt-get update sudo apt-get -y upgrade sudo apt install -y certbot python3-certbot-nginx
Now we are ready to generate our certificate. To start the process, just type the following command with your domain name.
sudo certbot --nginx -d your-domain.com
You will be asked to enter your e-mail address and accept the Terms of Service.
In the last step, you will be asked if you want to redirect all the traffic from HTTP to HTTPS. If you don’t know what to do, just type ‘2’. If you needed to keep a different version of your website over HTTP and HTTPS, you would probably know that.
That’s all. Certbot automatically added certificates to your virtual host configuration. Now you should be able to reach your website over HTTPS.
Extending certificates for subdomains
When you want to add a certificate for a subdomain, you can simply extend an existing one. Just type the following command.
sudo certbot --nginx -d your-domain.com -d subdomain.your-domain.com
Automatic renewal
Certificates issued by Let’s Encrypt are valid much shorter than commercial ones, usually 90 days. The most convenient way to keep your cert valid is to set up a Cron job that will periodically refresh it. Make sure to add this to the root’s Cron job (or another user with sufficient permissions).
0 2 */15 * * certbot renew --renew-hook "systemctl restart nginx"
Summary
This tutorial is intended for Nginx on Ubuntu, however, all steps are very similar for all Linux distributions. If you are looking for the tutorial based on the Apache2 server you can find it here.