Nginxdevops~10 mins

Let's Encrypt with Certbot in Nginx - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Websites need secure connections to protect user data. Let's Encrypt provides free SSL certificates to enable HTTPS. Certbot is a tool that helps get and install these certificates automatically for your web server.

When you want to secure your website with HTTPS without paying for certificates.

When you need to automatically renew SSL certificates to avoid expiration.

When you run an Nginx web server and want an easy way to enable HTTPS.

When you want to improve your website's trust and SEO ranking by using HTTPS.

When you want to protect user login and data transmission on your site.

Config File - nginx.conf

nginx.conf

server {
    listen 80;
    server_name example.com www.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        root /var/www/html;
        index index.html index.htm;
    }
}

This Nginx configuration has two server blocks:

The first listens on port 80 (HTTP) and serves the challenge files needed by Certbot to verify domain ownership. It also redirects all other HTTP traffic to HTTPS.
The second listens on port 443 (HTTPS) and uses the SSL certificates obtained by Certbot to serve the website securely.

Commands

Update the package list to get the latest versions available.

Terminal

sudo apt update

Expected OutputExpected

Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease Reading package lists... Done

Install Certbot and the Nginx plugin to obtain and configure SSL certificates.

Terminal

sudo apt install certbot python3-certbot-nginx -y

Expected OutputExpected

Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: ... Setting up certbot (1.22.0-1) ... Setting up python3-certbot-nginx (1.22.0-1) ...

→

-y - Automatically answer yes to prompts

Run Certbot to get SSL certificates for example.com and www.example.com and automatically update Nginx configuration.

Terminal

sudo certbot --nginx -d example.com -d www.example.com

Expected OutputExpected

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem - Your cert will expire on 2024-09-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again - Your nginx configuration was updated to use the new certificate.

→

--nginx - Use the Nginx plugin to automatically configure SSL

→

-d - Specify domain names for the certificate

Reload Nginx to apply the new SSL configuration without downtime.

Terminal

sudo systemctl reload nginx

Expected OutputExpected

No output (command runs silently)

Test automatic renewal of certificates to ensure it will work when needed.

Terminal

sudo certbot renew --dry-run

Expected OutputExpected

Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

→

--dry-run - Simulate renewal without making changes

Key Concept

If you remember nothing else from this pattern, remember: Certbot automates getting and installing free SSL certificates to secure your Nginx website with HTTPS.

Common Mistakes

Not opening port 80 in the firewall before running Certbot

Certbot needs to verify domain ownership via HTTP on port 80; blocking it causes verification failure.

Ensure port 80 is open in your firewall before running Certbot.

Running Certbot without the --nginx flag when using Nginx

Without the Nginx plugin, Certbot won't automatically update your Nginx config to use the new certificates.

Use 'certbot --nginx' to let Certbot configure Nginx automatically.

Not reloading Nginx after certificate installation

Nginx won't use the new certificates until it reloads the configuration.

Run 'sudo systemctl reload nginx' after Certbot finishes.

Summary

Install Certbot and the Nginx plugin to manage SSL certificates.

Run Certbot with the --nginx flag and your domain names to get and install certificates.

Reload Nginx to apply the new SSL configuration.

Test automatic renewal with 'certbot renew --dry-run' to avoid certificate expiration.