Secure Nginx with Let’s Encrypt on Ubuntu 18.04

Step 1 – Installation of Nginx and its configuration

Update and Upgrade Ubuntu Installation if not done and proceed with NGINX installation.

sudo apt-get update && apt-get upgrade -y
sudo apt-get install nginx

Enable Nginx Installation

sudo systemctl enable nginx

Allow HTTP & HTTPS Nginx traffic

sudo ufw allow 'Nginx Full'

Create a new Nginx configuration file for the published site

sudo touch /etc/nginx/sites-available/<conf-file-name>

Create a Symbolic link for the newly created Nginx configuration file

sudo ln -s /etc/nginx/sites-available/<conf-file-name> /etc/nginx/sites-enabled/

Remove the default configuration file

sudo rm /etc/nginx/sites-enabled/default

Edit main Nginx configuration file to remove server version and token details for additional security

sudo vi /etc/nginx/nginx.conf
..
#server_tokens off; to server_tokens off;

Edit the new configuration file with new contents for the website

sudo vi /etc/nginx/sites-available/<conf-file-name>
server {
    root /var/www/html;
    # add index.php if it is a php site
    index index.html index.htm;
    server_name  <site_name> www.<site_name>;

    location / {
        try_files $uri $uri/ =404;
    }

}

Verify if the configuration file has any errors

sudo nginx -t

Reload Nginx server to reflect the changes

sudo systemctl reload nginx

Remove the default Nginx file

sudo rm /var/www/html/index.nginx-debian.html

Step 2 – Installing Certbot

First, we need to add repository for Certbot

sudo add-apt-repository ppa:certbot/certbot

Next, install the Certbot’s Nginx package using apt

sudo apt install python-certbot-nginx

Step 3 – Verification of configuration before acquiring certificate from Certbot

Verify if the Nginx config file has the server_name field with a domain name.
Two things to note here are – 

  1. DNS for domain name reflects the server IP address.
  2. Domain name resolves the page on the server.
sudo vi /etc/nginx/sites-available/<conf-file-name>
server {
...
    server_name  <site_name> <site_name_with_www>;
...
}

Verify if Nginx is allowed over firewall

sudo ufw status

expected output…

Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Step 4 – Obtaining Certificate

sudo certbot --nginx -d ilostin.com -d www.ilostin.com

Follow the instructions on the screen. At the moment you will be prompted for 2 things before installation – 

  1. Enter your email address to notify about certificate expiry
  2. Agree to the terms of service

After the certificate is installed, you will be prompted to choose between one of these 2 options to make changes to your Nginx configuration file. I would prefer option 2 to redirect all incoming traffic to HTTPS.

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Step 5 – Verify Certbot Auto-Renewal and errors

Let’s Encrypt certificates are valid for 90 days. This is to encourage users to renew their certificates on an ongoing basis and remove any certificates that are no longer used. The certbot package installed manages this by running a cron job twice a day to verify if any certificate is expiring in 30 days time and will automatically renew this.

In order to know if there will be no errors in renewal dry run withcertbot

sudo certbot renew --dry-run

If no errors found after this execution, you are good to go and all setup for your site to be HTTPS or SSL encrypted.