Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX

Editor – This is an update to a previous blog post about using Let’s Encrypt certificates with NGINX. This new blog is based on newly added NGINX support in certbot.

Also see our blog post from nginx.conf 2015, in which Peter Eckersley and Yan Zhu of the Electronic Frontier Foundation introduce the then-new Let’s Encrypt certificate authority.

It’s well known that SSL encrypting of your website leads to higher search rankings and better security for your users. However, there are a number of barriers that have prevented website owners from adopting SSL.

Two of the biggest barriers have been the cost and the manual processes involved in getting a certificate. But now, with Let’s Encrypt, this is no longer a concern. Let’s Encrypt makes SSL encryption freely available to everyone.

Let’s Encrypt is a free, automated, and open certificate authority. Yes, that’s right: SSL/TLS certificates for free. Certificates issued by Let’s Encrypt are trusted by most browsers today, including older browsers, such as Internet Explorer on Windows XP SP3. In addition, Let’s Encrypt is fully automated for both issuing and renewing certificates.

In this blog post, we’ll cover how to use the Let’s Encrypt client to generate RSA certificates and automatically configure NGINX to use the newly issued certificates.

How Let’s Encrypt Works

Before issuing a certificate, Let’s Encrypt first validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client.

Prerequisites

Before starting with Let’s Encrypt, you’ll need a few prerequisites:

  • Have NGINX or NGINX Plus installed.
  • Own or control a registered domain name for the certificate. If you don’t have a registered domain name, you can use a domain name registrar, such as GoDaddy, dnsexit, etc.
  • Create a DNS record that points your domain name to your server’s public IP address.

Now you can easily set up Let’s Encrypt with NGINX and NGINX Plus.

Note: In this blog post, we’re running Let’s Encrypt with open source NGINX on Ubuntu 16.04 Xenial.

1. Download the Let’s Encrypt Client

First, download the Let’s Encrypt client, certbot:

  1. Add the certbot repository:

    $ add-apt-repository ppa:certbot/certbot

  2. Now install certbot:

    $ apt-get update
    $ apt-get install python-certbot-nginx

The Let’s Encrypt client is now ready to use.

2. Set up NGINX

Certbot can automatically configure SSL with NGINX by finding the correct server block in the NGINX configuration. Certbot will look for the server_name directive in the server block that matches the domain name you’re requesting a certificate for. We’ll be using www.example.com as the domain in this tutorial.

  1. Assuming you’re starting with a fresh NGINX install, create a configuration file named www.example.com.conf in the /etc/nginx/conf.d directory

    $ nano /etc/nginx/conf.d/www.example.com.conf
  2. Enter your domain name in the server_name directive in a server block

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    }
  3. Save the file, verify the syntax of your configuration edits, and restart NGINX

    $ nginx -t && nginx -s reload

3. Obtain the SSL certificate

Certbot has various plugins to generate SSL certificates. The NGINX Plugin will take care of re-configuring NGINX and reloading the configuration whenever necessary.

To generate SSL certificates with the NGINX plugin, run the following command:

$ sudo certbot --nginx -d example.com -d www.example.com

Once the process has completed successfully, certbot will prompt you to configure your HTTPS settings, which includes entering your email address and agreeing to the Let’s Encrypt terms of service.

Once that’s completed, NGINX will reload with the new settings. Certbot will output a message stating that the SSL certificate generation is successful, along with the location of the certificate on your server.

Congratulations! You have successfully enabled https://example.com and https://www.example.com 

-----------------------------------------------------------------------------------------------------------------------------
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com//privkey.pem
Your cert will expire on 2017-12-12.

Note: Let’s Encrypt certificates expire after 90 days. In this example, the certificate will expire on 2017-12-12. In the next section, we’ll talk about how to auto-renew certificates automatically.

Open up the NGINX configuration and take note of all the modifications. That way, you’ll know how to configure NGINX manually with SSL/TLS termination in the future.

server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/html;
server_name example.com www.example.com;

listen 443 ssl; # managed by Certbot

# RSA certificate

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot

}

4. Automatic Renewal of Let’s Encrypt Certificates

Let’s Encrypt certificates expire in 90 days. We encourage you to automatically renew your certificates when they expire. We’ll set up a cron job to do this.

We start by opening a file called crontab

$ crontab -e

…and we enter the certbot command we wish to run daily. In this blog post, we run the command every day at noon. The command will check to see if the certificate on the server will expire within the next 30 days, and renew it if so.

0 12 * * * /usr/bin/certbot renew --quiet

Close the cron tab, and now all installed certificates will be automatically renewed and reloaded. The --quiet directive tells certbot not to output information.

Summary

We’ve installed the Let’s Encrypt agent to generate SSL certificates for a registered domain name. We’ve configured NGINX to use SSL certificates, and we’ve set up automatic certificate renewals. Now, you can set up Let’s Encrypt with NGINX, and have a simple, secure website up and running within minutes.

Cover image
Microservices: From Design to Deployment
The complete guide to microservices development