Frequently Asked Questions

How to Install Let's Encrypt With Nginx on Ubuntu 16.04 and Ubuntu 18.04
Last Updated 5 months ago

Requirements:

You need Ubuntu 16.04 or Ubuntu 18.04 server with SSH access, registered domain name pointed to your server’s IP and a sdsmall portion of the knowledge of how to use Linux console and execute commands on the Ubuntu server. The whole installation will take around 30 minutes.

Step 1 - Install LetsEncrypt

Before installing new software, you should always consider updating the package list in order to have your software up to date.

sudo apt-get update

Add software repository Ubuntu 16.04


sudo apt-get install software-properties-common python-software-properties

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update




Add software repository Ubuntu 18.04


sudo apt-get install software-properties-common

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update




Installation

For now, everything is ready to install LetsEncrypt on your server:

sudo apt-get install letsencrypt

This command will install the letsencrypt dummy package that includes certbot and other utilities for SSL installation.

Step 2 - Configure NginX for Let's Encrypt SSL

In my configuration examples, I will use the domain name ssl.itsyndicate.org. Do not forget to change it for your needs when you do a copy-paste. Now it's time for a small life-hack that will show you how to optimize the process of adding new certificates to your server. We will use NginX default config to catch all requests with a non-secure connection that are going to our server, non-ssl, which will target 80 port.


server {

    listen  80 default_server;

    server_name _;


    location ~ /\.well-known/acme-challenge/ {

        allow all;

        root /var/www/letsencrypt;

        try_files $uri =404;

        break;

    }

}

As you can see we are using /\.well-known/acme-challenge/ directory to catch all requests for location and /var/www/letsencrypt directory to host acme-challenges. So let’s create directory after you edited the default NginX vhost config:


sudo mkdir -p /var/www/letsencrypt

Before applying changes to your NginX settings always check configuration file:


sudo nginx -t

You should get a notification that syntax is ok:


nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

To apply changes to our new NginX vhost configuration that is designed to catch all of your Let's Encrypt certificates challenges do the following:

sudo service nginx reload

Step 3 - Request New Let's Encrypt SSL

Now it is time to request our first Let's Encrypt SSL certificate for our domain:


sudo letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -m mail@example.com --agree-tos -d ssl.itsyndicate.org




Let me describe some important options in our command:

--webroot-path=/var/www/letsencrypt – here we configure a directory where all requests will be stored. We configured NginX to serve this directory.

-m mail@example.com – with this option you are setting up your e-mail address

--agree-tos – this option is needed not to prepare TOS and to accept them. This is some kind of fully automated way to install Let’s Encrypt SSL

-d ssl.itsyndicate.org – this option is used to issue SSL for the desired domain

After command execution you should see Congratulations message:


IMPORTANT NOTES:

- If you lose your account credentials, you can recover through

e-mails sent to mail@example.com.

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/ssl.itsyndicate.org/fullchain.pem. Your cert

will expire on 2018-08-01. To obtain a new version of the

certificate in the future, simply run Let's Encrypt again.

- Your account credentials have been saved in your Let's Encrypt

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Let's

Encrypt so making regular backups of this folder is ideal.

- If you like Let's Encrypt, please consider supporting our work by:


Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le




Step 4 - Configure NginX vhost

Now we have new SSL installed to /etc/letsencrypt/live/ssl.itsyndicate.org/. It's time to configure our NginX vhost to serve https requests for the desired domain. Here is my example:


server {

    server_name itsyndicate.org;

    listen 443 ssl;


    ssl on;

    ssl_certificate     /etc/letsencrypt/live/ssl.itsyndicate.org/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/ssl.itsyndicate.org/privkey.pem;


    root /var/www/html/;

    index index.php index.html index.htm;


    location ~ /.well-known {

        root /var/www/letsencrypt;

        allow all;

    }

}

Let's test and reload our new NginX configuration:


sudo nginx -t 

sudo service nginx reload




Step 5 - Configure Let's Encrypt SSL Auto Renewal

Let's Encrypt issues certificates for 90 days. You have an opportunity to reinstall it manually when you got the email that your SSL expires soon, but I think there is a smart way to automate that. We will use daily cron on our Ubuntu server to renew our SSL certificate. Due to the different version of the letsencrypt package in Ubuntu 16.04 and Ubuntu 18.04, I will use different renewal commands.

Ubuntu 16.04 Let's Encrypt renewal

I use the /etc/cron.daily/letsencrypt file to setup cron with the following content:


#!/bin/bash

/usr/bin/letsencrypt renew && /etc/init.d/nginx reload




Ubuntu 18.04 Let's Encrypt renewal

I use the same file '/etc/cron.daily/letsencrypt' but with another content:


#!/bin/bash

/usr/bin/letsencrypt renew --renew-hook "/etc/init.d/nginx reload"




Step 6 - Test SSL Configuration

When we are done with configuration it's time to take a cup of coffee and relax test our configuration. There are dozens of options to test SSL, but I will use two, the first one is curl:


curl -vI https://ssl.itsyndicate.org


* Server certificate:

*  subject: CN=ssl.itsyndicate.org

*  start date: May  3 15:44:12 2018 GMT

*  expire date: Aug  1 15:44:12 2018 GMT

*  subjectAltName: host "ssl.itsyndicate.org" matched cert's "ssl.itsyndicate.org"

*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3

*  SSL certificate verify ok.

Please Wait!

Please wait... it will take a second!