This tutorial will teach you how to install Nginx and let it manage the Let's encrypt TLS/SSL certificate. If you are starting now and want a safe server installation, I suggest you read . free this article OK, let's start with some definitions and then we start with the magic steps: Let's encrypt: is a certificate authority (CA) that provides free digital certificates to allow HTTPS on websites. : is a web server that can be used also as load balancer, reverse proxy, mail proxy and cache. Nginx HTTP HTTPS: (Hyper Text Transfer Protocol Secure) is an implementation of the HTTP protocol over an additional security layer that uses the SSL/TLS protocol. SSL/TLS protocol: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) (which is now deprecated) are application protocols that provide communications security over a computer network. Certbot: is a client (tool) that runs on the server to fetch and deploy SSL certificates. And why should I have an HTTPS website? The main reason that you should use HTTPS is that you guarantee that your connection with the server is secure. OK, you just have an HTML page without any dynamic content. So, other reasons are: 1) Google started using HTTPS as a ranking factor, so if you want your website to have a good position on Google's search, you should consider use this. 2) Chrome started showing "Not secure" warning for the pages that are not HTTPS, so if you don't want to scare your users, it's a reason to have it. Assuming you have an Ubuntu web server installed and running, and a domain naming pointing to it (in this tutorial the domain name is temporary-website.tk), we will install Nginx in it. Install Nginx and Certbot Connect to your server. Type the following command to install Nginx: $ sudo apt-get install nginx After installing it, you can access your domain and check that something is already available (without HTTPS): Insecure website We will use the Certbot repository to get up-to-date versions of the packages. Let's add it: $ sudo add-apt-repository ppa:certbot/certbot Update the package list to have up-to-date items: $ sudo apt-get update Install Certbot's Nginx package: $ sudo apt-get install python-certbot-nginx Generate certificate and configure Nginx Finally, let's make Certbot get a certificate and configure it automatically to us: $ sudo certbot --nginx -d temporary-website.tk For this step, you will need to add your email (will receive notifications from Let's Encrypt, if the certificate is about to expire). You will have two options: Redirect or not the requests from HTTP to HTTPS. I chose to Redirect. If you previously set a firewall, read the section 'Allow firewall' bellow, if not, that's it, you will have your website using HTTPS. 🎉 Safer website The website is working under HTTPS now. Now let's make some more improvements. Allow firewall If you followed the steps in , now you need to allow HTTPS connections: this article $ sudo ufw allow https Update Diffie-Hellman parameters If you followed the previous steps, you can section. But if you are just a curious reader and already implemented these steps on your server, a tip would be to check the size of the Diffie-Hellman parameters. Some old installations have 1024-bit parameters, and and NIST's recommendation is to increase the size of the Diffie-Hellman parameters to 2048 bits. ignore this some studies This is how 1024-bit parameters seem like This is how 2048-bit parameters seem like To create longer 2048-bit parameters run the code below. I suggest you run this command on the folder because is the place where the default key is stored ( ) etc/letsencrypt/ ssl-dhparams.pem $ openssl dhparam -out ssl-dhparams-2048.pem 2048 After generating these parameters, we need to change the configuration of Nginx. Go to the folder and edit the file to something like this: /etc/nginx/sites-enabled/ default server {...ssl_dhparam /etc/letsencrypt/ssl-dhparams-2048.pem;...} Now restart Nginx: $ sudo service nginx restart Update SSL certificate Let's Encrypt certificates expire every 90 days. So you need to renew the certificate often. The Certbot packages installed come with a cron job that automatically renews the certificate before it expires. Run this command to test the renewal process (The parameter tests without saving any certificates to disk): --dry-run sudo certbot renew --dry-run If it succeeds, you can relax and enjoy life 😂. Certbot will take care that the certificate is updated regularly for you. 😘 Follow me if you want to read more of my articles And if you enjoyed this article, be sure to like it give me a lot of claps — it means the world to the writer. is an Entrepreneur, Engineer, Tech lover, Dreamer and Traveler. Has worked as in , . Flávio H. de Freitas CTO Brazil Silicon Valley and Europe

Fetch

Google

Think, do, measure and learn #CTOLife

Too Long; Didn't Read

Make resilience your competitive advantage

Configuring your server to provide HTTPS using Let's Encrypt and Nginx

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Think, do, measure and learn #CTOLife

The Noonification: How to Deal With Flapping or Broken Tests (11/29/2023)

The Noonification: Delving Into OpenTelemetry Collector (11/18/2023)

The Noonification: How to Implement a Merkle Tree in Solidity (11/12/2023)

105 Stories To Learn About K8s

Think, do, measure and learn #CTOLife

The Noonification: How to Deal With Flapping or Broken Tests (11/29/2023)

The Noonification: Delving Into OpenTelemetry Collector (11/18/2023)

The Noonification: How to Implement a Merkle Tree in Solidity (11/12/2023)

105 Stories To Learn About K8s

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps