In Nginx Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

A step-by-step guide to implementing Let’s Encrypt TLS certificate in Nginx.

Securing site with a TLS certificate is essential. There are two main reasons:

  • Secure data transmission between a user’s device to SSL/TLS offloading device
  • Improve Google search ranking

Lately, Google announced that site without https:// would be marked as “No Secure” in chrome browser.

So yes, Say YES to HTTPS.

If you are running a blog, personal site, non-membership, the non-financial transactional site then you may go for Let’s Encrypt certificate.

Let’s Encrypt offer a FREE certificate.

However, if you are accepting a financial transaction, then you may want to go for a commercial certificate.

Let’s implement TLS in Nginx…

I assume you already have Nginx installed and running if not refer to this installation guide.

There are multiple ways to get this done.

Let’s Encrypt using Certbot

One of the easiest and recommended ways to install it.

Certbot offers a drop-down menu where you can select the webserver and OS to get the instruction.

I’ve selected Nginx and Ubuntu as you can see below.

certbot-nginx

And, I’ll be executing the below on the Nginx server to install the certbot plugin.

# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install python-certbot-nginx

Once all ok, it’s time to use a certbot plugin to install a certificate in Nginx.

You can use the below command which will take care of modifying the necessary file to configure the certificate.

# certbot --nginx

It will check the CN (common name) in the existing Nginx configuration file, and it not found then it will prompt you to enter.

Ex:

root@instance-1:/etc/nginx/sites-available# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): bloggerflare.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bloggerflare.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/default for bloggerflare.com
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://bloggerflare.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=bloggerflare.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/bloggerflare.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/bloggerflare.com/privkey.pem
   Your cert will expire on 2018-05-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
root@instance-1:/etc/nginx/sites-available#

Certbot automation is smart!

As you can see it has taken care of all the necessary configuration to make my Nginx ready to serve over https.

However, if you don’t want Certbot to modify the configuration for you, then you can just request the below command.

# certbot --nginx certonly

The above command will not perform any modification instead just provide you the certificate so you can configure the way you want.

But what if you can’t or don’t want to use Certbot?

Manual Procedure

There are many ways to get the cert issued by Let’s Encrypt, but one of the recommended is from SSL for Free online tool.

Provide your URL and proceed with the verification method. Once verified, you will get the certificate, private key, and CA.

lets-encrypt-cert

Download them, and transfer to Nginx server. Let’s keep them under ssl folder (create if doesn’t exist) of Nginx installation path

root@instance-2:/etc/nginx/ssl# ls -ltr
-rw-r--r-- 1 root root 1704 Feb 26 10:04 private.key
-rw-r--r-- 1 root root 1647 Feb 26 10:04 ca_bundle.crt
-rw-r--r-- 1 root root 3478 Feb 26 10:57 certificate.crt
root@instance-2:/etc/nginx/ssl# 

Before proceeding with the configuration modification, you need to concatenate certificate.crt and ca_bundle.crt into a single file. Let’s name it tlscert.crt

cat certificate.crt ca_bundle.crt >> tlscert.crt
  • Go to sites-available folder and add the following in respective site configuration file
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/tlscert.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
}
  • Restart Nginx
service nginx restart

Try to access the respective domain over HTTPS

nginx-lets-encrypted

So here you go, it’s a success!

An alternative to Let’s Encrypt, you can also use ZeroSSL which is explained here about the implementation.

Next, you may want to test your site for SSL/TLS vulnerability and fix them if found.

Share on:
  • Chandan Kumar
    Author
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…

Thanks to our Sponsors

More great readings on Nginx

Headless WordPress Where Content Meets Innovation
Headless WordPress: Where Content Meets Innovation

In the dynamic and constantly evolving field of web development, Headless WordPress stands out as a robust and inventive method. It has reimagined the process of creating a website by decoupling the front-end presentation layer of the website from the back-end content management system. 

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder