Sharing Ilmu

Sharing for useful things

How To Secure NGINX Webserver with Let’s Encrypt on Ubuntu server 20.04

Hello everyone, in this tutorial I’ll discuss about how to configuration secure nginx webserver (https) using let’s encrypt on ubuntu 20.04.  Let’s encrypt is a Certificate Authority (CA) that provides easy way to obtain and install SSL Certificate as free on your website. Configuration Let’s Encrypt using certbot and for do this you must have public ip address and Domain/ DNS A Record that pointing on your linux server.

 

Update system :

root@taufik:~# apt update

 

Install Certbot for nginx :

root@taufik:~# apt install certbot python3-certbot-nginx

 

Make sure you have been configure server_name on nginx sites-available config file.

GNU nano 4.8 /etc/nginx/sites-available/yourdomainwebsite.com
.....
root /var/www/html/YourWebisteDocument;
index index.php index.html index.htm index.nginx-debian.html;
server_name yourdomainwebsite.com;
......

 

Make sure your nginx configuration is not error  :

root@taufik:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload nginx service :

root@taufik:~# systemctl reload nginx

 

Allow Nginx service on firewall :

root@taufik:~# ufw allow 'Nginx Full'

 

Show ufw status :

root@taufik:~# ufw status
Status: active

To Action From
-- ------ ----
Nginx Full.          ALLOW        Anywhere
Nginx Full (v6)  ALLOW        Anywhere (v6)

 

Install SSL Certificate on your domain :

root@taufik:~# certbot --nginx -d yourdomainwebsite.com -d www.yourudomainwebsite.com

 

If you are asked to fill in your email, enter your valid email address.

If installation process is successfull, certbot will be ask you about how you will run https settings on your website.  Select number 1 if you don’t want automatic redirect https when access your website.  Select number 2 if you want to automatic redirect https.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

 

Let’s Encrypt certificate is only valid for ninety days so that it’s encourage users for automate certificate renewall process. on certbot it’s has been installed renewall process using timer that run twice a day that will automate renew all certificate that’s within thirty days of expiration.

Show timer status :

root@taufik:~# systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Tue 2022-09-06 05:00:40 CEST; 1 weeks 6 days ago
    Trigger: Mon 2022-09-19 22:10:03 CEST; 15h left
    Triggers: ● certbot.service

 

For testing renewall process you can test with dry run :

root@taufik:~# certbot renew --dry-run

If you see no errors, your configuration is done. That’s will automate certificate renewall process.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>