← Other topics

HTTPS / SSL via “Let’s Encrypt” on a Nginx Web Server

Video Notes

In this guide we’ll learn how to configure HTTPS on a Nginx web server using a free certificate obtained from LetsEncrypt.org.

Certificate Authority - Let’s Encrypt

To enable HTTPS, we need a certificate from a Certificate Authority (CA).

These can be purchased and range in cost from about $5 upwards of $100+ (example price/tier options from Namecheap...).

Alternatively, we can get a free certificate from Let’s Encrypt which is a non-profit Certificate Authority. (Why/how Let’s Encrypt is free...)

Using Let’s Encrypt will allow us achieve the goal of encrypting our data transfer, however, it does not offer the same level of domain/server validation that a paid-for certificate will. You should consider a paid-for certificate in any situation where you’re collecting/processing sensitive data (personal information, monetary transactions, etc.) and/or you want to communicate to your users that your site is secure and trustworthy.

Certbot

Let’s Encrypt certificates can be set up using the command line tool Certbot.

Certbot can be used on both Nginx and Apache web servers and it’s supported on various Linux distributions such us Ubuntu, Debian or CentOS. In this example, we’ll work on an Ubuntu server running Nginx.

To determine if Certbot is installed on your server, run the following command:

> certbot --version

If this returns an error message about the command not being found, you’ll need to install Cerbot. The Certbot web site has good instructions for installation on a variety of server types.

Initiate a new certificate

Once you’ve determined Certbot is installed and you know what site(s) you want to set up HTTPS for, run the following command to start the process:

> sudo certbot

The first time you run Certbot it will ask you for an email, to agree to their terms of services, and specify whether or not you will receive newsletter emails from them.

Next it will ask you what site(s) you want to activate HTTPS for, pulling from the existing sites you’ve configured on your server. You can choose an individual site or leave it blank and hit enter so HTTPS will be set up for all the sites on your server.

In my example, I’ll choose option 1 to set up HTTPS for the domain demo.codewithsusan.com:

After hitting enter, it will proceed to set up your certificate and then prompt you to choose whether regular http traffic should be left alone or redirected to https; I suggest going with redirect and choosing option 2:

After the above question, you’ll see the final confirmation details:

Once the above is complete, you should now be able to access your sites via https.

How it works

If you open the site configuration file for the domain you just enabled HTTPS for, you should see new details were added for https. For example, if I open /etc/nginx/sites-available/demo.codewithsusan.com I see the following:

Renewing certificates

Let’s Encrypt certificates expire after 90 days. As part of the above setup process, though, configurations were put in place to automatically renew your certificates for you.

This happens via the cron job found at /etc/cron.d/certbot.

Long story short, there’s no action you need to take to maintain a Let’s Encrypt certificate once its been installed.

Removing certificates

You can revoke an existing certificate following this command pattern:

> sudo certbot delete --cert-name yourdomain.com

Once that is complete, you should update your site’s config:

  • Set it to listen on port 80 (http) instead of 443 (https)
  • Remove any line commented as # managed by Certbot
  • Remove the server block redirecting all traffic from http to https

Finally, restart your server to make the changes take effect: systemctl restart nginx

If this info helped you out, toss a coin in the tip jar?
← Other topics