Instead of purchasing an SSL certificate for your website and other applications, one can use Let’s encrypt free SSL certificates to secure their web portals and applications. Let’s Encrypt SSL certificates are valid for 90 days. However, you can create an automated process to automatically renew before expiring. If you’re going to be operating a website or need to secure your application with HTTPS, then Let’s Encrypt certificates are great. You can save yourself pretty pennies using it. For this post, we’re going to be using the Let’s Encrypt free SSL certificate to secure a website powered by an Nginx webserver. Your Nginx website will be able to communicate over HTTPS. To get started with using Let’s Encrypt on Ubuntu Linux to secure Nginx, follow the steps below.

How to install Certbot on Ubuntu Linux

Certbot is a command line tool that automates the tasks of acquiring and renewing Let’s Encrypt SSL certificates. There are other tools to perform the same tasks, but Certbot is efficient and easy to use. To install Certbot on Ubuntu, run the commands below.

How to generate Let’s Encrypt certificates for Ubuntu Linux

Now that Certbot is installed, you can begin generating Let’s Encrypt SSL certificates on Ubuntu Linux. To automate the certificate generation and renewal, we’re going to use the Webroot plugin. This plugin uses the/.well-known/acme-challenge directory at the web server root to validate that the requested domain resolves to the server running Certbot. We’re going to create a challenge/response configuration file to allow Let’s Encrypt to validate the server for which the certificates were generated. To do that, run the commands below to create a configuration file called well-known.conf in the /etc/nginx/snippets directory. This directory contains all configurations you want to use with the Nginx web server. Make sure to include the challenge/response configuration file in all server blocks. Then copy and paste the content below into the file and save it. The configuration file above allows Let’s Encrypt to validate the web server using the Webroot plugin. Before SSL and HTTPS, a typical Nginx server block file should look like the one below. Make sure to include the well-known snippet created above.

How to generate Dh (Diffie-Hellman) Group

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys. In most SSL configurations, you’ll want to generate a strong Diffie-Hellman key group. Run the commands below to generate a key in the /etc/ssl/cert directory on Ubuntu Linux.

How to obtain Let’s Encrypt certificates on Ubuntu Linux

At this point, you should be ready to obtain a free certificate from Let’s Encrypt. Before you generate your free certificates, run the commands below to enable the Nginx server block. Once complete, reload Nginx by running the commands below. Now you’re ready to generate Let’s Encrypt SSL certificates. Run the commands below, replacing example.com with your domain to generate Let’s Encrypt SSL certificates. A successful certificate generation message will look similar to the one below: You can now use the certificate and key in your Nginx server block configurations. Your new configuration after adding recommended SSL settings should look similar to the one below:

The first server block listens on port 80.  It contains a 301 redirect to redirect HTTP to HTTPS. The second server block listens on port 443. It contains a 301 redirect to redirect www to the non-www domain.

Make changes to the configurations above to suit your environment. However, the settings above should work in most Nginx environments. Reload Nginx configurations by restarting the server.

How to auto-renew Let’s Encrypt certificates

Now that the certificate is generated, you can set up a process to automatically renew the certificates. By default, it expires in 90 days. Setting up a process so you don’t have to remember to renew is the best option. To automatically renew the certificates before they expire, the certbot package creates a cronjob and a systemd timer. The timer will automatically renew the certificates 30 days before their expiration. The crontab file is created at the location below. You can now use the certificate and key files referenced above in your Nginx configurations to enable HTTPS. Conclusion: This post showed you how to use the Let’s Encrypt free SSL certificate to secure Nginx HTTP Server. If you find any error above or have anything to add, please use the comment form below to do so.