This tutorial will teach you how to install Nginx and let it manage the free Let's encrypt TLS/SSL certificate. If you are starting now and want a safe server installation, I suggest you read this article.
OK, let's start with some definitions and then we start with the magic steps:
- Let's encrypt: is a certificate authority (CA) that provides free digital certificates to allow HTTPS on websites.
- Nginx: is a web server that can be used also as load balancer, reverse proxy, mail proxy and HTTP cache.
- HTTPS: (Hyper Text Transfer Protocol Secure) is an implementation of the HTTP protocol over an additional security layer that uses the SSL/TLS protocol.
- SSL/TLS protocol: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) (which is now deprecated) are application protocols that provide communications security over a computer network.
- Certbot: is a client (tool) that runs on the server to fetch and deploy SSL certificates.
And why should I have an HTTPS website? The main reason that you should use HTTPS is that you guarantee that your connection with the server is secure.
OK, you just have an HTML page without any dynamic content. So, other reasons are: 1) Google started using HTTPS as a ranking factor, so if you want your website to have a good position on Google's search, you should consider use this. 2) Chrome started showing "Not secure" warning for the pages that are not HTTPS, so if you don't want to scare your users, it's a reason to have it.
Assuming you have an Ubuntu web server installed and running, and a domain naming pointing to it (in this tutorial the domain name is temporary-website.tk), we will install Nginx in it.
Install Nginx and Certbot
Connect to your server. Type the following command to install Nginx:
$ sudo apt-get install nginx
After installing it, you can access your domain and check that something is already available (without HTTPS):
Insecure website
We will use the Certbot repository to get up-to-date versions of the packages. Let's add it:
$ sudo add-apt-repository ppa:certbot/certbot
Update the package list to have up-to-date items:
$ sudo apt-get update
Install Certbot's Nginx package:
$ sudo apt-get install python-certbot-nginx
Generate certificate and configure Nginx
Finally, let's make Certbot get a certificate and configure it automatically to us:
$ sudo certbot --nginx -d temporary-website.tk
For this step, you will need to add your email (will receive notifications from Let's Encrypt, if the certificate is about to expire). You will have two options: Redirect or not the requests from HTTP to HTTPS. I chose to Redirect.
If you previously set a firewall, read the section 'Allow firewall' bellow, if not, that's it, you will have your website using HTTPS. 🎉
Safer website
The website is working under HTTPS now. Now let's make some more improvements.
Allow firewall
If you followed the steps in this article, now you need to allow HTTPS connections:
$ sudo ufw allow https
Update Diffie-Hellman parameters
If you followed the previous steps, you can ignore this section. But if you are just a curious reader and already implemented these steps on your server, a tip would be to check the size of the Diffie-Hellman parameters. Some old installations have 1024-bit parameters, and some studies and NIST's recommendation is to increase the size of the Diffie-Hellman parameters to 2048 bits.
This is how 1024-bit parameters seem like
This is how 2048-bit parameters seem like
To create longer 2048-bit parameters run the code below. I suggest you run this command on the folder etc/letsencrypt/because is the place where the default key is stored (ssl-dhparams.pem)
$ openssl dhparam -out ssl-dhparams-2048.pem 2048
After generating these parameters, we need to change the configuration of Nginx. Go to the folder /etc/nginx/sites-enabled/ and edit the file default to something like this:
server {...ssl_dhparam /etc/letsencrypt/ssl-dhparams-2048.pem;...}
Now restart Nginx:
$ sudo service nginx restart
Update SSL certificate
Let's Encrypt certificates expire every 90 days. So you need to renew the certificate often. The Certbot packages installed come with a cron job that automatically renews the certificate before it expires.
Run this command to test the renewal process (The parameter --dry-run tests without saving any certificates to disk):
sudo certbot renew --dry-run
If it succeeds, you can relax and enjoy life 😂. Certbot will take care that the certificate is updated regularly for you.
Follow me if you want to read more of my articles 😘 And if you enjoyed this article, be sure to like it give me a lot of claps — it means the world to the writer.
Flávio H. de Freitas is an Entrepreneur, Engineer, Tech lover, Dreamer and Traveler. Has worked as CTO in Brazil, Silicon Valley and Europe.