Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates. We are using Certbot to obtain a free SSL certificate for Nginx with Ubuntu set up. It’s better to use separate Nginx server block file instead of the default file.

Before proceeding with installation please make sure you have

• A fully registered domain name.
• An A record  and www record for the required domain name.
•  Nginx server block for the required domain ( /etc/nginx/sites-available/domain.conf )

Step 1 — Downloading the Let’s Encrypt Client

The first thing you need to do is download and install the Let’s Encrypt client, certbot. You can install that using following commands in Ubuntu

sudo apt-get update

sudo apt-get install -y git

sudo git clone https://github.com/certbot/certbot /opt/letsencrypt

Certbot is now ready to use, but we need to configure SSL for Nginx.

Step 2 — Confirming Nginx’s Configuration

Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for. By default, the server block will be under the following location, you can use VI editor or NANO editor to open this file

/etc/nginx/sites-available/domain.com

Find the existing server_name line. It should look like this:

server_name domainname.com www.domainname.com

If it does, exit your editor and move on to the next step.

After you have successfully verified you need to make sure nginx configuration syntax is correct and valid using the command

sudo nginx -t

If you get an error, reopen the server block file and check for any mistakes, Once your configuration file’s syntax is correct, reload Nginx to load the new configuration

sudo systemctl reload nginx

Step 3 — Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

sudo certbot --nginx -d domain.com -d www.domain.com

If this step failed with the following error, make sure the domain has no IPv6  records ( AAAA record) Let’s Encrypt prefers IPv6 over IPv4.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored

Your certificates are downloaded, installed, and loaded. Try reloading your website using https://

Step 4 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes.