In this tutorial, we'll explain how to install Certbot on Ubuntu 22.04 with Nginx. It will secure the Nginx web server using Let’s Encrypt SSL certificates.
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. We can install SSL using command-line interface.
Let's Encrypt is a Certificate Authority (CA) that provides SSL/TLS encryption at no charges and the certificate is valid for 90 days, duing which renewal can take place at any time.
Prerequisites
- A Ubuntu 22.04 and Nginx installed dedicated server or cloud server with root or non-root access (for non-root, use "sudo").
- Registered domain that you wish to get the certificate.
- A DNS A record that points your domain to the public IP address of the server.
Install Certbot on Ubuntu With Nginx
1. Keep server up-to-date
apt update -y
2. Install Certbot Nginx Package
apt install certbot python3-certbot-nginx -y
3. Obtaining a Certificate
Obtain a certificate using certbot command. The Nginx plugin will take care of reconfiguring Nginx and reloading the config.
certbot --nginx -d yoursite.com -d www.yousite.com
By running certbot first time, you will be prompted to enter an email address and agree to the terms of service. Next, Certbot will communicate with Let's Encrypt server.
Once, it deploy the SSL certificate, it will display similar output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yousite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yousite.com/privkey.pem
This certificate expires on 2024-05-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for yousite.com to /etc/Nginx2/sites-available/yousite.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://yousite.com
4. Verify Certbot Auto-renewal
Verify that the Certbot's auto renewal service is active and running. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with systemctl:
systemctl status certbot.timer
Similar output will be print on the console:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Sun 2024-02-18 11:41:26 UTC; 6min ago
Trigger: Sun 2024-02-18 14:08:16 UTC; 2h 19min left
Triggers: ● certbot.service
Feb 18 11:41:26 yousite.com systemd[1]: Started Run certbot twice daily.
5. Test automatic renewal
Certbot comes with a cron job or systemd timer that will renew your certificates automatically before they expire.
Let's test automatic renewal for our certificates by running this command:
certbot renew --dry-run
Similar output will print:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/squid.hnxcloud.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for squid.hnxcloud.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/squid.hnxcloud.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. Confirm SSL certificate
To confirm that our site is set up properly, visit https://yoursite.com/ in your browser and look for the lock icon in the URL bar
That's it. We have seen how to install Certbot on Ubuntu 22.04 with Nginx.
