Install Let’s encrypt free SSL/TLS certificate with Nginx and Ubuntu

Do you want to serve you website on HTTPS or want to take advantage of SEO benefits with TLS/SSL certificate? Maybe you want better performance with http2. “Let’s Encrypt” is a new Certificate Authority (CA) that provides an easy way to get and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It is backed by Internet Security Research Group(ISRG) and was running in beta. In this April it comes out of beta and is absolutely free.

In this guide we help you to install this free SSL/TLS certificate with Nginx.

Requirement and Goal:

These certificates are valid only for 90 days after that they need to be renewed. So our goal is to automate this process.

We are using Ubuntu in this guide, so first requirement is Ubuntu Linux. You also need root access or user with sudo privilege. A Domain name with A record in DNS pointing to your server IP. This is required because Let’s Encrypt use this information to validate your Domain.

Installing Let’s Encrypt toolkit:

First step to get a certificate is installing letsencrypt. To install it we will clone its git repository.

Before that update your server’s package manager  and upgrade packages with this command

sudo apt-get update && sudo apt-get upgrade

Now install git and bc, which help us to clone letsencrypt repository.

sudo apt-get install git bc

We can now clone this repo to /opt directory in our server.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

This will clone repository to your /opt/letsencrypt directory.

Creating certificate for your domain:

First stop Nginx if it is running, it will not create certificate if it will not able to bind port 80 for validating your domain.

sudo service nginx stop

Now execute below command to change your directory to /opt/letsencrypt.

cd /opt/letsencrypt

Let’s Encrypt automatically performs Domain Validation. After domain validation, the CA will issue SSL certificates to you. We use below command to start this process.

sudo -H ./letsencrypt-auto certonly --standalone -d mindstellar.com -d www.mindstellar.com

Change mindstellar.com with your domain name. You can add multiple subdomains by adding  ‘-d subdomain.yourdomain.com’.

Now it will ask you to enter administrative email id. This will allow you to regain control of a lost certificate and receive urgent security notices if necessary. Then agree to the terms and conditions. You can press Enter for Ok and Tab for selecting.

Let's encrypt administrative email promptLet's encrypt terms and conditions

If it does validate your domain then it will show this information.

Let's encrypt certificate information.

Configuring automatic renewal of certificates:

As mentioned above these certificates are valid for 90 days and you need to renew it before expiration. You can do this easily by using this command.

sudo ./letsencrypt-auto renew

To automate this process create a file renew-letsencrypt.sh with below code.

#!/bin/sh

cd /opt/letsencrypt/
./letsencrypt-auto renew

if [ $? -ne 0 ]
 then
 ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
 echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
 $ERRORLOG
 else
 nginx -s reload
fi

exit 0

Now Run crontab -e and enter this string to run the script every two months:

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

This will check for certificate renewal after every two month and renew them.

Ok! So we have created certificates for our domain and automated its renewal process. Now next step is to configure Nginx with these certificates.

Configuring Nginx with Lets’s Encrypt SSL/TLS certificate:

Add the certificate and key to the server block for HTTP traffic:

server {
    listen 443 ssl default_server;
    server_name my-domain;

    ssl_certificate /etc/letsencrypt/live/mindstellar.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mindstellar.com/privkey.pem;

    ...
}

Again change mindstellar.com with your domain name. Now verify that configuration file has proper syntax and restart Nginx with these commands.

nginx -t && service nginx reload
Updating the Let’s Encrypt client (not necessary).

Whenever new updates are available for the client, you can update your local copy by running a git pull from inside the Let’s Encrypt directory:

cd /opt/letsencrypt
sudo git pull

This will download all recent changes to the repository, updating your client.

That’s it! Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content. Go ahead and enable http2 to get extra performance for your website. These steps are almost generic and can work on other Linux distributions with little changes.

Please share your suggestions and feedbacks in comment box.



			

Leave a Reply