How to Set Up “Let’s Encrypt” Free SSL Certificate in Nginx (Ubuntu)

If you have read many articles on privacy tips, you will surely come across a tip that asks you to install the “HTTPS everywhere” extension so that it will automatically redirect you to the HTTPS version of the website whenever possible. The bad thing is the HTTPS everywhere extension works only when the website you are visiting has implemented SSL, and for most webmasters, that can be a difficult (and costly) task by itself. Luckily, with the Let’s Encrypt movement, it is easier for webmasters to add SSL certificates to their sites now.

In the past (and currently), setting up an SSL certificate requires you to first generate a private key on your server, then buy an SSL certificate from the Certificate Authority (which can be expensive), and lastly, set it up in the server. There is a lot of technicality involved in the process, and not doing it correctly will render the SSL certificate useless. With the Let’s Encrypt project, one can quickly add an SSL certificate to their sites without any cost. And being backed by big industry players like Mozilla, Akamai, Cisco, EFFIf you and Google, it is supported by most browsers and operating systems.

In this tutorial we will go through the steps to set up the Let’s Encrypt SSL certificate in the Nginx server. We are using a Ubuntu 14.04 server for this tutorial and assume your are using a working Nginx Ubuntu server. The instruction might differ for Ubuntu 16.04 server.

First, to install Let’s Encrypt, you will need git to clone it from its git repository. Install git with the following command:

sudo apt-get install git bc

Once installed, clone the Let’s Encrypt’s repository:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Before we proceed to install and set up the SSL certificate, it is important to allow access to the .well-known folder in the web root directory. By default, all files and folders with a “.” in front of the filename are hidden and not accessible to the public. However, in this case we will need to provide permission for the public to access the .well-known folder, as this is where Let’s Encrypt will store a special file for validation.

Proceed to your Nginx site configuration folder and open it (if you have a custom configuration file for your site) or use the default:

cd /etc/nginx/sites-available
sudo nano default

Add the following lines in the server block:

location ~ /\.well-known {
    allow all;
}

Save (Ctrl + O) and close (Ctrl + x) the configuration file.

Test your Nginx configuration:

sudo nginx -t

If all configuration works fine, reload the configuration:

sudo service nginx reload

Now that you are done with the Nginx configuration, the next thing is to install the SSL certificate.

Go to the Let’s Encrypt folder:

cd /opt/letsencrypt

Run the following command to generate the certificate:

./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com

There are a few things to change here:

  • Change the webroot-path to your site’s document root path. The default is “/user/share/nginx/html,” but your configuration might differ.
  • Change “example.com” to your own domain name. Do note that “example.com” and “www.example.com” are two different domains. If you want the certificate to support multiple domains, simply add -d example1.com to the end of the command. For example, to set up an SSL certificate for the domains “example.com”, “www.example.com”, “example1.com” and “www.example1.com,” use the following command:
./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com -d example1.com -d www.example1.com

On the first run the script will install a bunch of Python files in your system. Once it is done, it will begin the certificate generation process. First it will ask for your email address:

nginx-letsencrypt-email-address

After that you will be prompted to read the Terms of Service over at the Let’s Encrypt website. Select “Agree.”

nginx-letsencrypt-read-tos

If you see the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-10-02. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That means you have successfully generated an SSL certificate for your site(s). If instead you see an error message, then fix the error and retry again.

Now that you have generated the SSL certificate, it is time to activate it for your site.

Return to the Nginx configuration folder and open the site’s configuration file:

cd /etc/nginx/sites-available
sudo nano default

Create a new server block and add the following configuration inside the block:

server {
        server_name example.com www.example.com;
 
        listen 443 ssl;
 
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Save and close the file.

Note: the above is a simplified version of the Nginx configuration block. You should add in your own custom configuration into the block.

Lastly, test the configuration:

sudo nginx -t

If everything is fine, reload Nginx:

sudo service nginx reload

That’s it. You have successfully set up an SSL certificate for your sites. You can now load the “https” version of your URL to see it in action.

Unlike most commercial SSL certificates that are valid for a minimum of one year, a Let’s Encrypt’s SSL certificate is only valid for three months. After this time you will have to renew to continue using it. Let’s Encrypt comes with a renew option so you can easily renew your certificates without going through the whole installation again. The following instructions show you how to set up a cron job to auto-renew your SSL certificate.

Still in your server, open the crontab:

sudo crontab -e

Add the following lines:

00 0 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
05 0 * * 1 /etc/init.d/nginx reload

The above lines will check the expiry date of your SSL certificates every Monday at 12am and renew them if it is close to expiry. It will also reload Nginx (at 12.05am) to ensure the renewed certificate is in use.

Save and close the crontab.

If you are running a small website and are keen on adding SSL to your site, Let’s Encrypt is a great option to add credibility to your site. It is (relatively) easy to set up and costs nothing (free, as in beer), so there is no reason not to make use of it. However, since it only provides a Domain-Validated (DV) certificate (the most basic kind of SSL certificate) for those companies that requires Organization-Validated (OV) or Extended-Validation (EV) SSL certificates, a commercial SSL certificate is probably the way to go.

Internet2 – HTTPS

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.