Home » Guia Prático para Configurar Nginx com Certbot no Ubuntu – Post in English

Guia Prático para Configurar Nginx com Certbot no Ubuntu – Post in English

This is an instruction step by step on how to install Let\'s Encrypt SSL with nginx on your Ubuntu 20.04. I will try to describe several useful settings that will make configuration easy and smart. I will use different commands that will be executed due to the Ubuntu version differences.

Those blocks will be highlighted so pay attention to that, but almost everything should be the same.

Prerequisites

  • Ubuntu 20.04 or Ubuntu 20.10
  • 1024 MB or above Ram
  • GB Disk Space
  • vCPU or above CPU
  • Internet connection to download Terraform
  • root privileges

Step 1 — Install LetsEncrypt

Before installing new software, you should always consider updating the list of packages to have your software updated.

sudo apt update

Add software repository Ubuntu 20.10

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update

For now, to install LetsEncrypt on your server:

 sudo apt install letsencrypt

This command will install the letsencrypt dummy package that includes certbot and other utilities for SSL installation.

Step 2 — Configure NginX for Let\'s Encrypt SSL

In my configuration examples, I will use the domain name ssl.itsyndicate.org. Do not forget to change it for your needs when you do a copy-paste. Now it\'s time for a small life hack that will show you how to optimize the process of adding new certificates to your server.

We will use the default nginx configuration to capture all queries with an unsecured connection to our server, non-SSL, which will target 80 ports.

server {

    listen  80 default_server;

    server_name _;

    location ~ /\.well-known/acme-challenge/ {

        allow all;

        root /var/www/letsencrypt;

        try_files $uri =404;

        break;

    }

}

As you can see we are using /.well-known/acme-challenge/ directory to catch all requests for location and /var/www/letsencrypt directory to host acme-challenges. So let’s create a directory after you edited the default Nginx vhost config:

sudo mkdir -p /var/www/letsencrypt

Before applying changes to your Nginx settings always check the configuration file:

sudo nginx -t

To apply changes to our new Nginx vhost configuration that is designed to catch all of your Let\'s Encrypt certificates challenges do the following:

 sudo service nginx reload

Step 3 — Request New Let\'s Encrypt SSL

Now it is time to request our first Let\'s Encrypt SSL certificate for our domain:

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -m [email protected] --agree-tos -d ssl.itsyndicate.org

Let me describe some important options in our command:

--webroot-path=/var/www/letsencrypt — here we configure a directory where all requests will be stored. We configured NginX to serve this directory.

-m [email protected] — with this option you are setting up your e-mail address

--agree-tos — this option is needed not to prepare TOS and to accept them. This is some kind of fully automated way to install Let’s Encrypt SSL.

-d ssl.itsyndicate.org — this option is used to issue SSL for the desired domain

After command execution you should see a Congratulations message:

Step 4 — Configure NginX vhost

Now we have new SSL installed to /etc/letsencrypt/live/ssl.itsyndicate.org/. It\'s time to configure our Nginx vhost to serve HTTPS requests for the desired domain. Here is my example:

server {

    server_name itsyndicate.org;

    listen 443 ssl;
    ssl on;

    ssl_certificate     /etc/letsencrypt/live/ssl.itsyndicate.org/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/ssl.itsyndicate.org/privkey.pem;

    root /var/www/html/;

    index index.php index.html index.htm;

    location ~ /.well-known {

        root /var/www/letsencrypt;

        allow all;

    }

}

Let\'s test and reload our new Nginx configuration:

sudo nginx -t 
sudo service nginx reload

Step 5 — Configure Let\'s Encrypt SSL Auto-Renewal

Let\'s Encrypt issues certificates for 90 days. You have an opportunity to reinstall it manually when you got the email that your SSL expires soon, but I think there is a smart way to automate that. We will use daily cron on our Ubuntu server to renew our SSL certificate. Due to the different versions of the letsencrypt package, I will use different renewal commands.

Ubuntu Let\'s Encrypt renewal

I use the same file \'/etc/cron.daily/letsencrypt\' but with another content:

#!/bin/bash

/usr/bin/letsencrypt renew --renew-hook "/etc/init.d/nginx reload"

Step 6 — Test SSL Configuration

When we are done with the configuration it\'s time to take a cup of coffee and relax ~~ test our configuration. There are dozens of options to test SSL, but I will use two, the first one is curl:

curl -vI https://ssl.itsyndicate.org

The second option is to open your site in Google Chrome and check the SSL certificate in the dev tool under the security.

Conclusion

Now you know how to install Let\'s Encrypt SSL on Ubuntu 20,04 to secure your site. It is a very simple, useful and cheap solution to protect your site. If you have any suggestions feel free to contact me or just leave a comment below.