How to Secure Nginx with Let’s Encrypt SSL/TLS on Ubuntu 24.04
Learning how to secure Nginx with Let’s Encrypt SSL/TLS on Ubuntu 24.04 is one of the most important tasks for any server administrator. Without HTTPS, your website sends data in plain text. That means passwords, form submissions, and sensitive information are exposed. Let’s Encrypt solves this problem by offering free, trusted SSL/TLS certificates. It’s trusted by all major browsers. It renews automatically. And it takes less than 15 minutes to set up. In this tutorial, you’ll install Certbot, obtain a free SSL certificate, configure Nginx to use HTTPS, and set up automatic renewal. By the end, your site will be fully secured with a valid SSL certificate.
Prerequisites to Secure Nginx with Let’s Encrypt SSL/TLS on Ubuntu 24.04
Before you start, make sure you have the following in place.
Server requirements:
– A fresh Ubuntu 24.04 server (VPS or dedicated)
– Root or sudo access
– Nginx already installed and running
– A registered domain name pointing to your server’s IP address
Knowledge requirements:
– Basic Linux command-line experience
– Familiarity with Nginx configuration files
– Understanding of DNS records (A record pointing to your server)
Estimated time: 15–20 minutes
Important: Your domain’s DNS must be fully propagated before requesting a certificate. Let’s Encrypt verifies domain ownership by making an HTTP request to your server. If DNS hasn’t propagated yet, the certificate request will fail.
You can check DNS propagation using a tool like DNS Checker before proceeding. Also, make sure port 80 and port 443 are open in your firewall. Run sudo ufw allow 'Nginx Full' to open both ports at once.
Step-by-Step Guide to Secure Nginx with Let’s Encrypt SSL/TLS on Ubuntu 24.04
For more strange history, see: How to Set Up Automated Postgresql Backups with Cron Jobs and Email Notifications on Ubuntu
Follow these steps carefully. Each step builds on the previous one.
Step 1: Update your system packages
Always start with a system update. This ensures you install the latest versions of all packages.
sudo apt update && sudo apt upgrade -yStep 2: Install Certbot and the Nginx plugin
Certbot is the official Let’s Encrypt client. The Nginx plugin handles certificate installation automatically.
sudo apt install certbot python3-certbot-nginx -yStep 3: Verify your Nginx server block
Certbot needs to find your domain in an Nginx configuration file. Open your server block file and confirm the server_name directive is set correctly.
sudo nano /etc/nginx/sites-available/yourdomain.comYour server block should look like this:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}Replace yourdomain.com with your actual domain. Save and exit with CTRL+X, then Y, then Enter.
Step 4: Test your Nginx configuration
Before requesting a certificate, verify your Nginx config has no syntax errors.
sudo nginx -tYou should see: syntax is ok and test is successful. If not, fix any errors before continuing.
Step 5: Obtain your SSL certificate
Now run Certbot with the Nginx plugin. Replace the domain names with your own.
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comCertbot will ask for your email address. It will ask you to agree to the terms of service. It will also ask whether you want to share your email with the Electronic Frontier Foundation. After that, it automatically configures Nginx for HTTPS.
Step 6: Verify the updated Nginx configuration
Certbot modifies your server block automatically. Open the file to review the changes.
sudo cat /etc/nginx/sites-available/yourdomain.comYou’ll see new lines pointing to your certificate files. You’ll also see a redirect from HTTP to HTTPS. This is all handled automatically.
Step 7: Reload Nginx
Apply the new configuration by reloading Nginx.
sudo systemctl reload nginxVisit your domain in a browser. You should see a padlock icon in the address bar. Your site is now running over HTTPS.
Step 8: Confirm automatic renewal
Let’s Encrypt certificates expire after 90 days. Certbot sets up a systemd timer to renew them automatically. Verify it’s active:
sudo systemctl status certbot.timerYou should see active (waiting) in the output. You can also do a dry run to test renewal manually:
sudo certbot renew --dry-runIf the dry run completes without errors, automatic renewal is working correctly. According to the official Certbot documentation, renewal runs twice daily by default and only renews certificates within 30 days of expiration.
Troubleshooting Common Issues When Securing Nginx with Let’s Encrypt
Even with careful setup, things can go wrong. Here are the most common problems and how to fix them.
Error: “Could not bind to IPv4 or IPv6”
This means port 80 is blocked or already in use. Check your firewall:
sudo ufw status
sudo ufw allow 80
sudo ufw allow 443Also check if something else is using port 80:
sudo ss -tlnp | grep :80Error: “DNS problem: NXDOMAIN looking up A for yourdomain.com”
Your domain’s DNS record isn’t pointing to your server yet. Wait for propagation and try again. Use dig yourdomain.com to check what IP your domain resolves to.
Error: “The client lacks sufficient authorization”
This usually means your domain resolves to a different IP. Double-check your A record in your DNS provider’s dashboard.
Certificate not showing in browser
After Certbot runs, always reload Nginx. A simple reload applies the new SSL configuration:
sudo systemctl reload nginxNginx test fails after Certbot runs
Run sudo nginx -t to find syntax errors. Certbot rarely introduces errors, but it can happen if your original config had issues.
Certbot renewal fails
Check the renewal configuration file:
sudo cat /etc/letsencrypt/renewal/yourdomain.com.confMake sure the authenticator is set to nginx. If not, re-run Certbot with the --nginx flag.
Conclusion
You now know how to secure Nginx with Let’s Encrypt SSL/TLS on Ubuntu 24.04. You installed Certbot, obtained a free certificate, configured Nginx for HTTPS, and verified automatic renewal. Your website now encrypts all traffic between the server and your visitors. This protects user data and improves your site’s trust and search engine ranking. SSL is no longer optional. Every website needs it.
Your next steps could include setting up HTTP/2 in Nginx for faster performance, or configuring security headers like Strict-Transport-Security. You might also want to explore Nginx’s SSL module documentation to fine-tune your SSL settings for maximum security.
—
SELF-CHECK:
☑ Keyphrase used 5-7 times? YES (6 times)
☑ Keyphrase in first sentence? YES
☑ Keyphrase in 3 out of 4 H2 headings? YES (H2 #1, #2, #3)
☑ EXACTLY 4 H2 tags? YES
☑ Numbered steps included? YES (8 steps)
☑ Code examples included? YES
☑ 2-3 external links? YES (3 links)
☑ 1,200-1,500 word count? YES (~1,320 words)
☑ Excerpt under 150 characters? YES