Sling Academy
Home/DevOps/NGINX & Let’s Encrypt: The Complete Guide

NGINX & Let’s Encrypt: The Complete Guide

Last updated: January 20, 2024

NGINX is a powerful, high-performance web server that has become increasingly popular due to its scalability and flexibility. Integrating NGINX with Let’s Encrypt, a free Certificate Authority, allows you to secure your web applications with HTTPS. This complete guide walks you through the process step by step.

Table of Contents

  1. Why Use NGINX with Let’s Encrypt?
  2. Prerequisites
  3. Step-by-Step Instructions
    1. Step 1: Install Certbot
    2. Step 2: Obtain Your SSL/TLS Certificate
    3. Step 3: Test HTTPS Configuration
    4. Step 4: Automatic Certificate Renewal
    5. Step 5: Adjust Your NGINX Configuration
  4. Conclusion

Why Use NGINX with Let’s Encrypt?

Before diving into the setup, it’s important to understand why securing your web server with Let’s Encrypt is advantageous:

  • Security: Encrypting traffic between your server and clients protects sensitive data from eavesdropping.
  • Trust: A TLS certificate from Let’s Encrypt provides validation that your site is authentic and not a phishing replica.
  • SEO: Google rewards HTTPS-enabled sites with a ranking boost, potentially increasing your site’s visibility.
  • Performance: NGINX, known for its high performance, works seamlessly with TLS, ensuring minimal overhead.

Prerequisites

To follow this guide effectively, ensure you have:

  • A server with NGINX installed.
  • A registered domain name pointing to your server’s IP address.
  • SSH access to your server.
  • Basic knowledge of NGINX configuration and the terminal.

Step-by-Step Instructions

Step 1: Install Certbot

Certbot is the recommended tool for obtaining Let’s Encrypt certificates. It automates the certificate issuance and renewal process. Install Certbot and its NGINX plugin using the following commands:

sudo apt update sudo apt install certbot python3-certbot-nginx

Step 2: Obtain Your SSL/TLS Certificate

Run Certbot with the NGINX plugin to obtain and install your certificate:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com and www.yourdomain.com with your registered domain names. Certbot will modify your NGINX configuration files to include the certificate and setup HTTPS.

Step 3: Test HTTPS Configuration

Navigate to https://yourdomain.com to confirm the SSL/TLS certificate is active. Additionally, use SSL Labs’ SSL Test to thoroughly check your setup for security flaws.

Step 4: Automatic Certificate Renewal

Let’s Encrypt’s certificates are valid for 90 days, after which they require renewal. Luckily, Certbot can set up automatic renewal:

sudo certbot renew --dry-run

This command simulates renewal without making any changes, ensuring your renewal process works. The actual renewal is handled by a periodic job set up by Certbot.

Step 5: Adjust Your NGINX Configuration

Customize your NGINX configuration to further enhance security:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    # Modern configuration. CYBERFRAT
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;

    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security-related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    # add_header Strict-Transport-Security 'max-age=63072000' always;
    # add_header X-Content-Type-Options nosniff always;
    # add_header X-Frame-Options SAMEORIGIN always;
    # add_header X-XSS-Protection '1; mode=block' always;
    # add_header Referrer-Policy no-referrer-when-downgrade always;
    # add_header Content-Security-Policy default-src 'self' https:; # upgrade-insecure-requests;

    location / {
        # Your application configuration
    }
}

Ensure you examine and understand each line of the configuration, adapting it to meet your site’s specific needs and security requirements.

Conclusion

This guide provided a comprehensive walkthrough of securing NGINX with a Let’s Encrypt SSL/TLS certificate. As security threats evolve, continue to check for updates to NGINX, Certbot, and best practices for HTTPS configuration. For further reading, consider exploring resources on HTTP/2, server hardening, and NGINX tuning for performance optimizations.

Next Article: NGINX stream core module: The Complete Guide

Previous Article: NGINX, PHP, and PHP-FPM: The Developer’s Guide

Series: NGINX Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide