Install Let’s Encrypt on Ubuntu 16.04 with Nginx
With Chrome version 62 & 63 being released, websites with any kind of text input will need an SSL certificate. Learn how to add a FREE SSL in your server. This tutorial will guide you in how to add a free SSL on your website.
To follow this tutorial, you will need:
- Both of the following DNS records set up for your server.
- An A record with example.com pointing to your server’s public IP address.
- An A record with www.example.com pointing to your server’s public IP address.
- Nginx installed by following How To Install Nginx on Ubuntu 16.04.
Step 1 — Installing Certbot
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.
First, add the repository and click enter to accept.
sudo add-apt-repository ppa:certbot/certbot
Update your server.
sudo apt-get update
Install Certbot’s Nginx package.
sudo apt-get install python-certbot-nginx
Certbot is now ready to use.
Step 2 — Obtaining an SSL Certificate
certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
Your certificates are downloaded, installed, and loaded. Try reloading your website using
https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by running ‘certbot renew’ twice a day via a systemd timer. On non-systemd distributions this functionality is provided by a script placed in /etc/cron.d. This task runs twice a day and will renew any certificate that’s within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run