Nginx SSL/TLS Configuration with Let's Encrypt Certbot
Introduction
This guide will walk you through setting up SSL/TLS on Nginx using Let's Encrypt Certbot.
What is Let's Encrypt Certbot?
Let's Encrypt is a free, automated, and open certificate authority (CA) that provides free SSL/TLS certificates. Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS.
Prerequisites
- A server running Nginx
- A domain name pointing to your server's IP address
- A non-root user with sudo privileges
Step 1 - Install Certbot
Install Certbot and the Nginx Certbot plugin using the following command:
sudo apt install certbot python3-certbot-nginxStep 2 - Obtain SSL/TLS Certificate
Run the following command to obtain an SSL/TLS certificate for your domain:
sudo certbot --nginx -d example.com -d www.example.comYou will be prompted to enter an email address and agree to the terms of service. After that, you will be asked if you want to redirect HTTP traffic to HTTPS. Choose option 2 to redirect all traffic to HTTPS.
Step 3 - Test SSL/TLS Certificate Renewal
Run the following command to test the automatic renewal of your SSL/TLS certificate:
sudo certbot renew --dry-runIf the command runs successfully, you will see the following output:
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)Step 4 - Configure SSL/TLS on Nginx
First, configure your website to redirect all HTTP traffic to HTTPS. Open your Nginx configuration file:
sudo nano /etc/nginx/sites-available/example.comAdd the following lines to your Nginx configuration file:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}Static Files
If you are serving static files, you can configure SSL/TLS by adding the following lines to your Nginx configuration file:
nano /etc/nginx/sites-available/example.com# ...
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
try_files $uri $uri/ =404;
}
}Reverse Proxy
If you are using Nginx as a reverse proxy, you can configure SSL/TLS by adding the following lines to your Nginx configuration file:
nano /etc/nginx/sites-available/example.com# ...
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}Running PHP
If you are running PHP, you can configure SSL/TLS by adding the following lines to your Nginx configuration file:
nano /etc/nginx/sites-available/example.com# ...
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/example.com/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
}Conclusion
You have successfully set up SSL/TLS on Nginx using Let's Encrypt Certbot.