Setup Let's Encrypt SSL For Nginx On Ubuntu

October 6, 2017
Install certbox, setup nginx, obtain ssl and auto renewal.

Install Certbot

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Check if Cerbox is running properly.

cerbot --version

If you run into the following error, run sudo pip install -U six to fix it.

  File "/usr/lib/python2.7/dist-packages/acme/messages.py", line 46, in <module>
    @six.python_2_unicode_compatible
AttributeError: 'module' object has no attribute 'python_2_unicode_compatible'

Setup nginx

If you haven’t install nginx yet, refer to setup and install nginx.

Setup nginx configuration for your domain.

cd /etc/nginx/sites-available/
sudo cp default mydomain
# edit mydomain configuration file
sudo vi mydomain

Edit mydomain nginx configuration file to configure root and server_name.

server {
  ...

  # the html files are stored here
  root /usr/share/nginx/mydomain;
  ...

  # handle domain
  server_name mydomain.com www.mydomain.com;

  ...
}

Test if nginx configuration edit is done properly.

sudo nginx -t

Restart nginx.

sudo service nginx restart

Obtain SSL for nginx

Use certbot to obtain ssl for mydomain.com and www.mydomain.com.

sudo certbot --nginx -d mydomain.com -d www.mydomain.com

You shall be prompted to select

1) Allow both http and https
2) Redirect http request to https

You can list all available SSL certficates on this machine.

certbot certificates

Nginx configuration at etc/nginx/sites-available/mydomain is edited accordingly. Verifiy if the configuration is valid and restart nginx.

sudo nginx -t
sudo service nginx restart

You can access your domain website using SSL now https://www.mydomain.com.

Auto Renewal

The SSL certificates expire every 3 months. You need to setup auto renewal through a cronjob.

sudo crontab -e

The following configuration will attempt to renew SSL at 1am daily. Renewal will run successfully one month before expiry date.

* 1 * * * /usr/bin/certbot renew --quiet
This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.