How to Secure Nginx with Let’s Encrypt Ssl/tls Certificates on Ubuntu

Learning how to secure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu is essential for protecting your website visitors and improving your site’s SEO rankings. SSL/TLS certificates encrypt data transmission between your server and users’ browsers, preventing malicious actors from intercepting sensitive information.

Let’s Encrypt provides free SSL/TLS certificates that automatically renew, making website security accessible to everyone. This tutorial covers the complete process of installing Certbot, obtaining certificates, configuring Nginx, and setting up automatic renewal. You’ll also learn how to troubleshoot common issues and verify your SSL configuration.

By the end of this guide, your Nginx server will have a valid SSL certificate with an A+ security rating. This setup protects user data, builds trust with visitors, and meets modern web security standards that search engines favor in their rankings.

Prerequisites and Requirements for Securing Nginx with Let’s Encrypt SSL/TLS Certificates

Before you begin this tutorial on how to secure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu, ensure you meet these requirements. You need an Ubuntu 20.04 or 22.04 server with sudo privileges and a registered domain name pointing to your server’s IP address.

Your server should have Nginx already installed and running. If you haven’t installed Nginx yet, run these commands:

sudo apt update
sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx

You’ll also need port 80 and 443 open in your firewall. Configure UFW with these commands:

sudo ufw allow 'Nginx Full'
sudo ufw reload

Verify your domain resolves correctly by visiting your site in a browser. You should see the default Nginx welcome page. This tutorial assumes basic Linux command-line knowledge and takes approximately 15-20 minutes to complete.

The domain must be publicly accessible since Let’s Encrypt validates domain ownership through HTTP challenges. Private networks or local development environments won’t work with this process.

Step-by-Step Guide to Install Certbot and Obtain SSL Certificates

This event shares similarities with: How to Install and Configure Fail2ban on Ubuntu Server for Ssh Protection

Step 1: Install Certbot and the Nginx plugin on your Ubuntu server. Certbot is Let’s Encrypt’s official client that automates certificate management.

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Step 2: Create a basic Nginx server block for your domain if you haven’t already. Replace ‘yourdomain.com’ with your actual domain name:

sudo nano /etc/nginx/sites-available/yourdomain.com

Add this configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    
    root /var/www/yourdomain.com;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Step 3: Enable the site and create the web root directory:

sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
sudo mkdir -p /var/www/yourdomain.com
sudo chown -R www-data:www-data /var/www/yourdomain.com

Step 4: Test your Nginx configuration and reload it:

sudo nginx -t
sudo systemctl reload nginx

Step 5: Run Certbot to obtain your SSL certificate. This command will automatically modify your Nginx configuration:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will prompt you for an email address and ask you to agree to the terms of service. Choose option 2 to redirect HTTP traffic to HTTPS when prompted.

Step 6: Verify your certificate installation by checking the modified Nginx configuration:

sudo cat /etc/nginx/sites-available/yourdomain.com

You should see new SSL-related directives that Certbot added automatically. The Let’s Encrypt documentation provides additional details about certificate management.

Configure Nginx Security Headers and SSL Settings

Step 7: Enhance your SSL configuration by adding security headers. Open your Nginx server block:

sudo nano /etc/nginx/sites-available/yourdomain.com

Add these security headers inside the SSL server block:

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header Referrer-Policy strict-origin-when-cross-origin always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

Step 8: Configure stronger SSL settings by creating a dedicated SSL configuration file:

sudo nano /etc/nginx/snippets/ssl-params.conf

Add these SSL parameters:

# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

Step 9: Include the SSL parameters in your server block by adding this line inside the SSL server block:

include /etc/nginx/snippets/ssl-params.conf;

Step 10: Test and reload your Nginx configuration:

sudo nginx -t
sudo systemctl reload nginx

Visit your website using HTTPS to verify everything works correctly. Your browser should show a secure connection indicator.

Troubleshooting Common SSL Certificate Issues

When implementing how to secure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu, you might encounter several common issues. Here are the most frequent problems and their solutions.

Certificate validation failures often occur when your domain doesn’t resolve correctly. Verify your DNS settings and ensure your domain points to your server’s IP address. Use dig yourdomain.com to check DNS resolution.

Port 80 blocked errors happen when firewalls block HTTP traffic. Let’s Encrypt requires port 80 access for domain validation. Check your firewall settings and hosting provider’s security groups.

Nginx configuration errors can prevent certificate installation. Always run sudo nginx -t before requesting certificates. Fix any syntax errors in your server blocks first.

Rate limiting issues occur if you request certificates too frequently. Let’s Encrypt has rate limits of 50 certificates per registered domain per week. Wait before retrying if you hit these limits.

Mixed content warnings appear when your site loads HTTP resources over HTTPS. Update all internal links, images, and scripts to use HTTPS or relative URLs.

If automatic renewal fails, check the Certbot logs with sudo cat /var/log/letsencrypt/letsencrypt.log. Common renewal issues include changed server configurations or expired domains.

Test your SSL configuration using the SSL Labs SSL Test to identify security weaknesses and get an overall grade.

For certificate renewal testing, use sudo certbot renew --dry-run to simulate the renewal process without affecting your live certificates.

The official Nginx HTTPS documentation provides comprehensive information about SSL configuration options and best practices.

Conclusion

You’ve successfully learned how to secure Nginx with Let’s Encrypt SSL/TLS certificates on Ubuntu. Your website now has free, automatically-renewing SSL certificates that encrypt visitor data and improve search engine rankings.

The configuration includes security headers, strong SSL parameters, and automatic HTTP-to-HTTPS redirection. Your certificates will renew automatically every 90 days through Certbot’s systemd timer.

Monitor your certificates regularly and keep your server updated. Consider implementing additional security measures like Content Security Policy headers and regular security audits. This SSL setup provides a solid foundation for secure web hosting on Ubuntu servers.