DEV Community

Cover image for Step-by-Step Guide to Setting Up Let's Encrypt SSL on Nginx for Ubuntu
Sotiris Kourouklis
Sotiris Kourouklis

Posted on • Edited on • Originally published at sotergreco.com

Step-by-Step Guide to Setting Up Let's Encrypt SSL on Nginx for Ubuntu

Let's Encrypt and Nginx are among the most popular technologies for deploying your app on a server. Today, we'll learn how to set up Nginx and a free SSL with Certbot on your Ubuntu server.

Prerequisites

To make sure your Nginx works, you need to set up your DNS records properly:

  • Create an A record pointing to your server's public IP address:

    Record Type: AName: @Content: YOUR_SERVER_IP

  • For subdomains, create an A record like this:

    Record Type: AName: your_subdomainContent: YOUR_SERVER_IP

If you want to find your server ip just type this command on your command line:

$ ifconfig

NGINX

First we are going to install NGINX on your system.

$ sudo apt update

$ sudo apt install nginx

Now we are going to check if nginx is working

$ systemctl status nginx

Output:

Output
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2024-04-20 16:00:00 UTC; 3 days ago
     Docs: man:nginx(8)
 Main PID: 2569 (nginx)
    Tasks: 2 (limit: 1153)
   Memory: 3.5M
   CGroup: /system.slice/nginx.service
           ├─2369 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─2380 nginx: worker process
Enter fullscreen mode Exit fullscreen mode

Also if you go to your server public if you should see this page:

Image description

Let's Encrypt

The next step is to intall certbot in order to create ssl certificates for free. Certbot recommends using snapd to install so this is what we are going to use.

$ sudo snap install core; sudo snap refresh core

$ sudo snap install --classic certbot

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Now we are going to create the certificate using the command below.

certbot --nginx -d test.com -d www.test.com --redirect --non-interactive --agree-tos --email your_email@example.com --keep-until-expiring
Enter fullscreen mode Exit fullscreen mode

Here's what the command does:

  • --nginx: This tells certbot to configure the SSL certificate for a domain using the Nginx web server.

  • -d test.com -d www.test.com: These are the domain names for which you want to generate the SSL certificate.

  • --redirect: This option configures HTTPS redirection, automatically setting up redirects from HTTP to HTTPS for your domain.

  • --non-interactive: This flag ensures the script runs non-interactively and does not require user input.

  • --agree-tos: This option automatically agrees to the terms of service for certbot.

  • --email youremail@example.com: Replace youremail@example.com with your email address to receive notifications about the certificate's status and renewal.

  • --keep-until-expiring: This flag ensures that certbot will only renew the certificate when it is close to expiration.

Configurations

Because of the --nginx flag, the configuration will be set up for nginx. However, your configuration depends on the type of app you are going to deploy, so below, I will provide some common examples.

All nginx configuration files are typically located at this path:

/etc/nginx/conf.d/default.conf

Configuration for a static app:

# HTTP server block
server {
    listen 80;
    listen [::]:80;
    server_name test.com www.test.com;
    # Path to index.html of your application
    root /var/www/html/front;

    location / {
        try_files $uri $uri/ /index.html;
    }

    # Redirect all HTTP traffic to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name test.com www.test.com;
    # Path to index.html of your application
    root /var/www/html/front;

    # SSL certificate and key
    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    location / {
        try_files $uri $uri/ /index.html;
    }
}
Enter fullscreen mode Exit fullscreen mode

Deploying a server-side app like Next.js

# HTTP server block
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;

    # Redirect all HTTP traffic to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL certificate and key
    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    # Proxy configuration for Next.js
    location / {
        # Proxy requests to the Next.js server running on port 8080
        proxy_pass http://localhost:8080;

        # Set headers to preserve the original client IP and other information
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeout settings for proxying
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Ensure that the server responses are not cached
        proxy_buffering off;
    }
}
Enter fullscreen mode Exit fullscreen mode

Again everything depends on what you want to deploy so making small changes on your nginx config might be necessary.

Conclusion

In this guide, we covered how to set up Let's Encrypt SSL on an Nginx server running Ubuntu. We started with DNS configuration, installed Nginx, and secured it with a free SSL certificate from Certbot. Each step helps make your web application secure and operational.

Keep in mind, your Nginx configuration may need adjustments based on your app's needs, and regular updates are essential for security.

Thanks for reading, and I hope you found this article helpful. If you have any questions, feel free to email me at kourouklis@pm.me, and I will respond.

You can also keep up with my latest updates by checking out my X here: x.com/sotergreco

Top comments (1)

Collapse
 
oculus42 profile image
Samuel Rouse

Hello! It appears the second image in the "NGINX" section is not loading as expected.