Learning how to configure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu is essential for securing your web applications and protecting user data. This comprehensive tutorial will walk you through the complete process of setting up free SSL certificates using Certbot and configuring Nginx to serve your websites over HTTPS. You’ll learn how to install the necessary tools, obtain certificates, configure server blocks, and automate certificate renewal.

SSL/TLS certificates encrypt data transmitted between your server and visitors’ browsers. This encryption prevents man-in-the-middle attacks and builds trust with your users. Let’s Encrypt provides free, automated certificates that are trusted by all major browsers. When combined with Nginx’s high performance and reliability, you get a powerful and secure web server setup.

By the end of this guide, you’ll have a fully functional Nginx server with automatic SSL certificate management. Your websites will display the green padlock icon in browsers, indicating secure HTTPS connections. This setup also improves your SEO rankings, as search engines favor secure websites.

Prerequisites and Requirements for Configuring Nginx with Let’s Encrypt SSL/TLS Certificates on Ubuntu

Before you begin this tutorial on how to configure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu, ensure you have the following prerequisites in place:

You need a fresh Ubuntu server (18.04, 20.04, or 22.04) with root access or sudo privileges. A domain name that points to your server’s IP address is required, as Let’s Encrypt validates domain ownership before issuing certificates. You can use A records in your DNS settings to point your domain to the server.

Basic command-line knowledge is assumed, including familiarity with text editors like nano or vim. You should understand how to navigate directories and edit configuration files. Previous experience with web servers is helpful but not mandatory.

Ensure your server has at least 1GB of RAM and sufficient disk space for Nginx and certificate storage. Port 80 and 443 must be open in your firewall settings, as Let’s Encrypt uses HTTP-01 challenge for domain validation.

The estimated completion time for this tutorial is 30-45 minutes, depending on your familiarity with Linux systems and the number of domains you’re securing.

Step-by-Step Guide to Configure Nginx with Let’s Encrypt SSL/TLS Certificates on Ubuntu

Another fascinating historical case is: How to Set Up a Multi-container Application with Docker Compose

Step 1: Update System Packages

Start by updating your Ubuntu system to ensure all packages are current. This prevents compatibility issues during installation.

sudo apt update
sudo apt upgrade -y

The update command refreshes the package list, while upgrade installs any available updates. The -y flag automatically confirms installation prompts.

Step 2: Install Nginx Web Server

Install Nginx using the default Ubuntu repository. Nginx will serve as your web server and handle SSL termination.

sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx

These commands install Nginx, start the service, and enable it to start automatically on boot. Verify the installation by checking the service status:

sudo systemctl status nginx

Step 3: Configure Firewall Settings

Configure the UFW firewall to allow HTTP and HTTPS traffic. This ensures visitors can access your website.

sudo ufw allow 'Nginx Full'
sudo ufw enable

The ‘Nginx Full’ profile opens both ports 80 and 443. Enable UFW if it’s not already active.

Step 4: Install Certbot and Nginx Plugin

Install Certbot, the official Let’s Encrypt client, along with the Nginx plugin for automatic configuration.

sudo apt install certbot python3-certbot-nginx -y

The python3-certbot-nginx package provides integration between Certbot and Nginx, allowing automatic configuration of SSL settings.

Step 5: Create Nginx Server Block

Create a server block configuration for your domain. Replace ‘example.com’ with your actual domain name.

sudo nano /etc/nginx/sites-available/example.com

Add the following configuration:

server {
    listen 80;
    server_name example.com www.example.com;
    
    root /var/www/example.com;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

This basic configuration serves content from /var/www/example.com directory and handles both www and non-www versions of your domain.

Step 6: Create Web Root Directory

Create the document root directory and add a simple HTML file for testing.

sudo mkdir -p /var/www/example.com
sudo chown -R $USER:$USER /var/www/example.com
echo "
Hello from $(hostname)!
" | sudo tee /var/www/example.com/index.html

These commands create the directory, set proper ownership, and add a test page.

Step 7: Enable the Server Block

Create a symbolic link to enable the server block and test the Nginx configuration.

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

The nginx -t command tests the configuration syntax. Only reload if the test passes successfully.

Step 8: Obtain SSL Certificate

Use Certbot to obtain and install the SSL certificate. The –nginx flag automatically configures Nginx.

sudo certbot --nginx -d example.com -d www.example.com

Certbot will prompt for an email address and ask you to agree to terms of service. It automatically modifies your Nginx configuration to include SSL settings and redirects.

Step 9: Verify SSL Configuration

Check that your certificate was installed correctly by examining the updated Nginx configuration:

sudo cat /etc/nginx/sites-available/example.com

You should see additional server blocks for port 443 with SSL certificate paths and security headers.

Troubleshooting Common SSL Certificate Configuration Issues

When learning how to configure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu, you might encounter several common issues. Here are solutions to the most frequent problems:

Domain Validation Failures: If Certbot can’t validate your domain, ensure your DNS A record points to the correct IP address. Use dig example.com to verify DNS propagation. The domain must be accessible via HTTP on port 80 before requesting certificates.

Nginx Configuration Errors: Always test your configuration with sudo nginx -t before reloading. Common syntax errors include missing semicolons, incorrect server block structure, or invalid SSL directives. Check the error logs with sudo tail -f /var/log/nginx/error.log for detailed error messages.

Firewall Blocking Connections: Ensure UFW allows traffic on ports 80 and 443. Check your cloud provider’s security groups if using AWS, Google Cloud, or similar services. Test connectivity with telnet your-domain.com 80 from an external machine.

Certificate Renewal Issues: Let’s Encrypt certificates expire every 90 days. Test automatic renewal with sudo certbot renew --dry-run. If renewal fails, check that your web server is running and the domain is still accessible.

Mixed Content Warnings: After enabling HTTPS, ensure all resources (images, CSS, JavaScript) use HTTPS URLs or relative paths. Browsers block mixed HTTP/HTTPS content for security reasons.

For additional debugging, consult the official Nginx documentation and Certbot documentation for advanced configuration options.

Conclusion and Next Steps

You’ve successfully learned how to configure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu. Your web server now serves content over secure HTTPS connections with automatically managed certificates. The setup includes proper SSL configuration, security headers, and HTTP to HTTPS redirects.

Your certificates will automatically renew before expiration, ensuring continuous security without manual intervention. The Nginx configuration optimizes performance while maintaining strong security standards. Visitors to your website will see the trusted padlock icon, indicating a secure connection.

Consider implementing additional security measures like HTTP Strict Transport Security (HSTS) headers and Content Security Policy (CSP) for enhanced protection. You might also explore Nginx rate limiting and fail2ban integration to prevent abuse.

For multiple domains or subdomains, repeat the certificate generation process with different domain names. Advanced users can explore wildcard certificates for covering all subdomains of a domain. Regular monitoring of certificate expiration dates and server logs ensures ongoing security and performance.