DEV Community

Orestis Pantazos
Orestis Pantazos

Posted on • Edited on

🌊 How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 in DigitalOcean

Step 1

Installing Certbot

sudo add-apt-repository ppa:certbot/certbot
Enter fullscreen mode Exit fullscreen mode
sudo apt install python-certbot-nginx
Enter fullscreen mode Exit fullscreen mode

Step 2

Confirming Nginx’s Configuration

sudo nano /etc/nginx/sites-available/example.com
Enter fullscreen mode Exit fullscreen mode

/etc/nginx/sites-available/example.com

...
server_name example.com www.example.com;
...
Enter fullscreen mode Exit fullscreen mode
sudo nginx -t
Enter fullscreen mode Exit fullscreen mode
sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

Step 3

Allowing HTTPS Through the Firewall

sudo ufw status
Enter fullscreen mode Exit fullscreen mode
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Enter fullscreen mode Exit fullscreen mode
sudo ufw status
Enter fullscreen mode Exit fullscreen mode
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode

Step 4

Obtaining an SSL Certificate

sudo certbot --nginx -d example.com -d www.example.com
Enter fullscreen mode Exit fullscreen mode
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Enter fullscreen mode Exit fullscreen mode
Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Enter fullscreen mode Exit fullscreen mode

Step 5

Verifying Certbot Auto-Renewal

sudo certbot renew --dry-run
Enter fullscreen mode Exit fullscreen mode

Top comments (0)