How Let’s Encrypt Works
Before issuing a certificate, Let’s Encrypt validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client.
Prerequisites
Before starting with Let’s Encrypt, you need to:
- Have NGINX or NGINX Plus installed.
- Own or control the registered domain name for the certificate. If you don’t have a registered domain name, you can use a domain name registrar, such as GoDaddy or dnsexit.
- Create a DNS record that associates your domain name and your server’s public IP address.
Now you can easily set up Let’s Encrypt with NGINX Open Source or NGINX Plus (for ease of reading, from now on we’ll refer simply to NGINX).
Note: We tested the procedure outlined in this blog post on Ubuntu 16.04 (Xenial).
1. Download the Let’s Encrypt Client
First, download the Let’s Encrypt client, certbot
.
As mentioned just above, we tested the instructions on Ubuntu 16.04, and these are the appropriate commands on that platform:
$ apt-get update
$ sudo apt-get install certbot
$ apt-get install python-certbot-nginx
With Ubuntu 18.04 and later, substitute the Python 3 version:
$ apt-get update
$ sudo apt-get install certbot
$ apt-get install python3-certbot-nginx
2. Set Up NGINX
certbot
can automatically configure NGINX for SSL/TLS. It looks for and modifies the server
block in your NGINX configuration that contains a server_name
directive with the domain name you’re requesting a certificate for. In our example, the domain is www.example.com.
- Assuming you’re starting with a fresh NGINX install, use a text editor to create a file in the /etc/nginx/conf.d directory named domain‑name.conf (so in our example, www.example.com.conf).
- Specify your domain name (and variants, if any) with the
server_name
directive:server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name example.com www.example.com; }
- Save the file, then run this command to verify the syntax of your configuration and restart NGINX:
$ nginx -t && nginx -s reload
3. Obtain the SSL/TLS Certificate
The NGINX plug‑in for certbot
takes care of reconfiguring NGINX and reloading its configuration whenever necessary.
- Run the following command to generate certificates with the NGINX plug‑in:
$ sudo certbot --nginx -d example.com -d www.example.com
- Respond to prompts from
certbot
to configure your HTTPS settings, which involves entering your email address and agreeing to the Let’s Encrypt terms of service.
If you look at domain‑name.conf, you see that certbot
has modified it:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name example.com www.example.com;
listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
4. Automatically Renew Let’s Encrypt Certificates
Let’s Encrypt certificates expire after 90 days. We encourage you to renew your certificates automatically. Here we add a cron
job to an existing crontab file to do this.
- Open the crontab file.
$ crontab -e
- Add the
certbot
command to run daily. In this example, we run the command every day at noon. The command checks to see if the certificate on the server will expire within the next 30 days, and renews it if so. The--quiet
directive tellscertbot
not to generate output.0 12 * * * /usr/bin/certbot renew --quiet
- Save and close the file. All installed certificates will be automatically renewed and reloaded.