How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 DigitalOcean
Anuncio
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Language: EN
Contents
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04
Posted April 27, 2018
335.6k
NGINX
LET'S ENCRYPT
UBUNTU 18.04
By Hazel Virdó and Kathleen Juell
Become an author
Not using Ubuntu 18.04? Choose a different version:
A previous version of this tutorial was written by Hazel Virdó
Introduction
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
1/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install
free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies
the process by providing a software client, Certbot, that attempts to automate most (if not
all) of the required steps. Currently, the entire process of obtaining and installing a certificate
is fully automated on both Apache and Nginx.
In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 18.04
and set up your certificate to renew automatically.
This tutorial will use a separate Nginx server block file instead of the default file. We
recommend creating new Nginx server block files for each domain because it helps to avoid
common mistakes and maintains the default files as a fallback configuration.
Prerequisites
To follow this tutorial, you will need:
One Ubuntu 18.04 server set up by following this initial server setup for Ubuntu 18.04
tutorial, including a sudo non-root user and a firewall.
A fully registered domain name. This tutorial will use example.com throughout. You can
purchase a domain name on Namecheap, get one for free on Freenom, or use the domain
registrar of your choice.
Both of the following DNS records set up for your server. You can follow this introduction to
DigitalOcean DNS for details on how to add them.
An A record with example.com pointing to your server’s public IP address.
An A record with www.example.com pointing to your server’s public IP address.
Nginx installed by following How To Install Nginx on Ubuntu 18.04. Be sure that you have a
server block for your domain. This tutorial will use /etc/nginx/sitesavailable/example.com as an example.
Step 1 — Installing Certbot
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
2/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot
software on your server.
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to
be outdated. However, the Certbot developers maintain a Ubuntu software repository with
up-to-date versions, so we’ll use that repository instead.
First, add the repository:
$ sudo add-apt-repository ppa:certbot/certbot
You’ll need to press ENTER to accept.
Install Certbot’s Nginx package with apt :
$ sudo apt install python-certbot-nginx
Certbot is now ready to use, but in order for it to configure SSL for Nginx, we need to verify
some of Nginx’s configuration.
Step 2 — Confirming Nginx’s Configuration
Certbot needs to be able to find the correct server block in your Nginx configuration for it
to be able to automatically configure SSL. Specifically, it does this by looking for a
server_name directive that matches the domain you request a certificate for.
If you followed the server block set up step in the Nginx installation tutorial, you should have
a server block for your domain at /etc/nginx/sites-available/example.com with the
server_name directive already set appropriately.
To check, open the server block file for your domain using nano or your favorite text editor:
$ sudo nano /etc/nginx/sites-available/example.com
Find the existing server_name line. It should look like this:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
3/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
/etc/nginx/sites-available/example.com
...
server_name example.com www.example.com;
...
If it does, exit your editor and move on to the next step.
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of
your configuration edits:
$ sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing
characters. Once your configuration file’s syntax is correct, reload Nginx to load the new
configuration:
$ sudo systemctl reload nginx
Certbot can now find the correct server block and update it.
Next, let’s update the firewall to allow HTTPS traffic.
Step 3 — Allowing HTTPS Through the Firewall
If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll
need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles
with ufw upon installation.
You can see the current setting by typing:
$ sudo ufw status
It will probably look like this, meaning that only HTTP traffic is allowed to the web server:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
4/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Output
Status: active
To
Action
From
--
------
----
OpenSSH
ALLOW
Anywhere
Nginx HTTP
ALLOW
Anywhere
OpenSSH (v6)
ALLOW
Anywhere (v6)
Nginx HTTP (v6)
ALLOW
Anywhere (v6)
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant
Nginx HTTP profile allowance:
$ sudo ufw allow 'Nginx Full'
$ sudo ufw delete allow 'Nginx HTTP'
Your status should now look like this:
$ sudo ufw status
Output
Status: active
To
Action
From
--
------
----
OpenSSH
ALLOW
Anywhere
Nginx Full
ALLOW
Anywhere
OpenSSH (v6)
ALLOW
Anywhere (v6)
Nginx Full (v6)
ALLOW
Anywhere (v6)
Next, let’s run Certbot and fetch our certificates.
Step 4 — Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx
plugin will take care of reconfiguring Nginx and reloading the config whenever necessary.
To use this plugin, type the following:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
5/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
$ sudo certbot --nginx -d example.com -d www.example.com
This runs certbot with the --nginx plugin, using -d to specify the names we’d like the
certificate to be valid for.
If this is your first time running certbot , you will be prompted to enter an email address and
agree to the terms of service. After doing so, certbot will communicate with the Let’s
Encrypt server, then run a challenge to verify that you control the domain you’re requesting a
certificate for.
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit ENTER . The configuration will be updated, and Nginx will reload
to pick up the new settings. certbot will wrap up with a message telling you the process
was successful and where your certificates are stored:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-07-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
6/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:
https://letsencrypt.org/donate
Donating to EFF:
https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using
https:// and notice your browser’s security indicator. It should indicate that the site is
properly secured, usually with a green lock icon. If you test your server using the SSL Labs
Server Test, it will get an A grade.
Let’s finish by testing the renewal process.
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to
automate their certificate renewal process. The certbot package we installed takes care of
this for us by adding a renew script to /etc/cron.d . This script runs twice a day and will
automatically renew any certificate that’s within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot :
$ sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and
reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s
Encrypt will send a message to the email you specified, warning you when your certificate is
about to expire.
Conclusion
In this tutorial, you installed the Let’s Encrypt client certbot , downloaded SSL certificates
for your domain, configured Nginx to use these certificates, and set up automatic certificate
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
7/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
renewal. If you have further questions about using Certbot, their documentation is a good
place to start.
By Hazel Virdó and Kathleen Juell
Was this helpful?
Yes
42
No
Report an issue
Related
TUTORIAL
TUTORIAL
How To Set Up Nginx
with HTTP/2 Support on
Ubuntu 18.04
How To Set Up Apache
Virtual Hosts on Ubuntu
18.04
HTTP/2 is a new version of
This tutorial will guide you
the Hypertext Transport
through setting up multiple
Protocol, which is used on
domains and websites
the Web to deliver pages …
using Apache virtual hosts
TUTORIAL
TUTORIAL
How To Set Up
Password
Authentication with
How To Set Up
Password
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
8/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Apache on Ubuntu 18.04
[Quickstart]
Authentication with
This
tutorial
walk 18.04
you
Apache
on will
Ubuntu
through …
protecting assets on an …
This tutorial will walk you
through password-
Still looking for an answer?
Ask a question
Search for more help
42 Comments
Leave a comment...
Sign In to Comment
hafez
5
May 7, 2018
Let’s Encrypt now supports wildcard certificates. It would be great if you add a section to this
tutorial about obtaining a wildcard certificate.
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
9/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Reply
Report
ajbozdar
1
June 9, 2018
Wildcard certificates are not fully supported for some servers at this time.
Reply
Report
paoloalessandrocozzi
0
November 15, 2019
If you followed this guide, to support wildcard certificates you have to install also the
certbot-dns-digitalocean plugin:
$ sudo apt install python3-certbot-dns-digitalocean
Then you will need to create a DigitalOcean API token with both read and write scope and
write it into a file as described by certbot-dns-digitalocean documentation (if you think that
is too permissive, please upvote the Fine grained API tokens idea). Remeber to keep this
file secure with permission since since you can do everithing in your DO account with this
token. The suggested location /root/.secrets/certbot/digitalocean.ini could be fine,
the plugin will tell you if the permissions are not secure. Then, supposing that example.com
is the domain that you want to certificate, type:
certbot certonly --dns-digitalocean --dns-digitalocean-credentials /root/.secrets/c
Remeber that example.com is not managed by *.example.com pattern, so you have to
declare it if you want a certificate valid also with your domain name only. Having
*.example.com and www.example.com is an error, since www is redundant if you have * , as
described by letsencrypt. If you need to remove a certificate, you can type:
$ certbot delete
and selecting the certificate that you want to delete. The renewal acts exactly as described
by this guide. If you try to test the renewal immediately after your first certificate generation
like this:
$ certbot renew --dry-run
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
10/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
and you see an error regarding the TXT record of your domain (something like Incorrect
TXT record ), while you have generated the certificate correctly it could be that the DNS
record was not propagated to the server required to verify your certificate. Wait a certain
time (like the maximum TTL of your records) and then re-do the test.
Reply
fpschalk
0
Report
June 16, 2018
http://schalk.net pointed to my Nginx reverse proxy server that interfaced with my WebSockets
server at ws://localhost:3055 inside my droplet. It ran smoothly in Firefox and Chrome, but I
wanted more security; so I followed your excellent tutorial.
I was thrilled to see https://schalk.net running smoothly in my Chrome browser, but when I tried
to load it in Firefox I got nothing. I pressed F12 and looked at the console. The first screenshot
(below) shows an astonishing message that left me momentarily flabbergasted. By encrypting
my site, I made it such a tremendous security risk - according to Firefox - that it was too
dangerous to load in the browser.
I clicked the message and it took me to line 24 of my sources.js file, a file that Firefox apparently
ignored on grounds that everything in the file must be a security risk. Line 24 read, “ var socket =
new WebSocket(‘ws://localhost:3055/’);”. If I change that to “var socket = new
WebSocket('wws://localhost:3055/’);” Firefox sees no security risk but WebSocket messaging
becomes impossible since neither my Haskell backend server nor my Cycle.js front end is set
up for WebSocket Secure messaging. I let the Nginx reverse proxy server take care of
encryption.
My Bugzilla Mozilla report is at https://bugzilla.mozilla.org/show_bug.cgi?id=1468944. This bug
is in versions 62 nightly builds, 61, 60 and I don’t know how far before that. I’m not holding my
breath waiting for Firefox to do something, and it won’t help me with web surfers using pre-62
versions.
So, can you suggest any workarounds short of encrypting traffic between my Haskell server and
Cycle.js front end? I took a stab at doing that and got frustrated. That’s why I was so overjoyed
by your wonderful tutorial - so clear, so thorough, with magic results. Alternatively, can you steer
me toward information about using Letsencrypt to secure my WebSocket server and Cycle.js
front end?
Any help that you or the community can give me will be much appreciated. Thanks.
Reply
Report
mxd789
0
January 6, 2019
tldr
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
11/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Reply
fpschalk
0
Report
June 16, 2018
Wow! The procedure you presented was easy to follow and worked like a charm. Very
impressive.
I do have a problem, though. Firefox, which loaded my page before I secured the Nginx reverse
proxy server, now refuses to load it because of security concerns. Firefox found the file where I
define my unencrypted WebSocket server running on localhost and concluded that it is a
security threat. This is absurd, of course, but it might be a widespread problem. Every website
with a non-secured WebSocket server secured by an encrypted reverse proxy server might be
unavailable to people using Firefox browsers. The problem exists in Firefox version 62-dailybuilds, 61, and 60. I don’t know about earlier versions.
Do you have any suggestions for a workaround? My application uses a Haskell server behind a
Cycle.js front end bundled into the executable file by a Haskell compiler and uploaded to my
droplet where it runs on localhost. The thought of transforming it into a WebSocket Secure
application is daunting. I shouldn’t have to do that. My secure site loads and functions perfectly
in Chrome.
I wrote a comment with specific details, including the URL for my site, but it was deleted by
some amateurish spam detection system. Instead of flagging my comment for review, the
system deleted it and gave me an email address where I could register an appeal. Treating
customers with such disrespect is bad for business. I like Digitalocean and hate to see it
messing up like that.
My comment has three screenshots that I dare not attach now lest I upset the automatic
comment eraser. Maybe you can retrieve my detailed comment from wherever it went.
Any help from you or the community will be much appreciated. Thanks.
Reply
Report
bboucheron
1
June 18, 2018
Hi fpschalk. It’s not 100% clear to me what’s going on here, but based on this comment,
your previous comment, and your Mozilla bug report, I can suggest a couple of things to
look into.
I think there are two basic issues.
1. A “mixed content warning”. This is when a website loads as https but then tries
to fetch unsecured http or ws resources. Take a look at Mozilla’s mixed
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
12/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
content resources for more info. Chrome might be allowing mixed content for
localhost as a special exception, I’m not sure.
2. If Nginx is proxying the local websocket to https://schalk.net , you should be
using shalk.net and not localhost:3055 in your javascript. I assume you are
running a development version of your app locally on port 3055 so this works
fine for you in Chrome, but it will fail for your visitors on all browsers.
If you fix #2, then #1 will not be an issue as well, because you could use a wss: URL since
you’ve secured schalk.net . You may want to try using a websocket test client
independent of your code just to verify that the websocket is being proxied correctly.
Reply
Report
rubenmmenke
1
June 19, 2018
Make sure you get A Record for both versions of your site www.example.com and
example.com!
Reply
Report
ahmedfaizantech
0
August 18, 2019
quick links on how to do that:
https://www.digitalocean.com/docs/networking/dns/how-to/manage-records/
edited by MattIPv4
Reply
fpschalk
0
Report
June 20, 2018
I’m replying to bboucheron. Pressing “Re;ply” didn’t do anything.
I changed proxypass http://localhost.:3055; to proxypass http://schalk.net:3055; “socket” is
defined as:
socket = "MozWebSocket" in window ? new MozWebSocket('ws://localhost:3055/') : new*
WebSocket('ws://localhost:3055/');
MDN’s “Writing WebSocket client applications” states: “In the above examples ws has replaced
http, similarly wss replaces https. Establishing a WebSocket relies on the HTTP Upgrade
mechanism, so the request for the protocol upgrade is implicit when we address the HTTP
server as ws://www.example.com or wss://www.example.com.” –
https://developer.mozilla.org/en-
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
13/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications“. In context, it
is clear that they mean "ws” suffices even for WebSocket Secure sites.
https://schalk.net functions perfectly in Chrome. Firefox has a new concern. In the Webpack
bundle;js file, String.prototype.split is defined as native JavaScript String.prototype.split unless
Regex is used in calling it. In that case, it appears that MIT licensed “Cross Browser Split 1.1.1” by
Steven Levithan is used. Well, you guessed it, my application doesn’t finish loading in Firefox
and the console explains “SecurityError: The operation is insecure”, as shown in the screenshot I
will attempt to upload. Clicking the error line causes page 1818 of Bundle.js to be displayed.
This is shown in another screenshot and also, in more detail, in the text file that I will try to
upload.
I write “try to upload” because when I first left my two redundant messages they were
immediately deleted by the spam robot. Digital Ocean was very good about republishing them,
but I doubt that they have had sufficient time to substantially improve their spam software.
I am very grateful to you for helping me. I guess I should tell Webpack that Firefox thinks that
altering String.prototype can be an “insecure” operation. I’m feeling a little insecure about
developing websites that have to work in Firefox browsers. Do you or anyone else reading this
think a hacker could make use of Webpack’s modified version of String.protocol.split?
Reply
Report
fpschalk
0
June 24, 2018
I edited the bundle.js file produced by Webpack so String.prototype.split is no longer modified.
Now loading of my app in Firefox stops when the definition of “socket” is reached. It is ordinary
“ws”, not WebSocket Secure. My bundled Haskell server and Cycle.js front-end exchange
unencrypted WebSocket messages inside my droplet. Users reach the app with the URL
https://schalk.net, the address of my secure reverse-proxy Nginx server.
Chrome runs smoothly, but Firefox won’t finish loading. Here is the definition of “socket”:
socket = “MozWebSocket” in window ? new MozWebSocket(‘ws://127.0.0.1:3055/’) : new
WebSocket('ws://127.0.0.1:3055/’);
I’m not the only one having this problem, as is evident from:
https://www.google.com/search?
ei=lysvW6efB6WLjwT4uYfICQ&q=mixed+content+blocking+https+%22ws%22&oq=mixed+cont
ab.12…21871.23660.0.24677.2.2.0.0.0.0.103.182.1j1.2.0....0…1.1.64.psy-ab..0.0.0....0.DopyQx_CZug
Reply
Report
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
14/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
mxuribe
2
June 29, 2018
CAUTION
If have - like me - your domains (and associated dns, nameservers) sit behind a service like
cloudflare, the above setup might need one more little tweak to avoid the headache of a
redirect loop.
Basically I have the non-httpS endpoint redirect to httpS, and it got stuck in a redirect loop. But
when I commented out the certbot and ssl stuff from my nginx server block, all was good. The
root cause - at least for me - was that cloudflare provides its own ssl cert…so as Joe Fleming
stated on his recent blog post: within cloudflare you need to “…switch the crypto config to Full
SSL or Full SSL (Strict)…” (by default it usually is configured as “Flexible” (or something similar).
Reference: https://joefleming.net/posts/nginx-ssl-and-cloudflare/
Once I did that tweak in cloudflare all was good, and I was able to stop pulling my hair out, and
live a happier day.
Big props to Joe Fleming for posting this solution on his blog (I’m surprised google didn’t bring
up any other hits on this topic except for Joe’s)…and as always props to the digital ocean folks
for posting these instructions!
Reply
Report
gkurtz06
1
January 19, 2019
You just saved me so much headache! I’ve been struggling with this for a few hours.
Thanks!
Reply
fpschalk
1
Report
July 2, 2018
Good news. My site ( https://schalk.net) works flawlessly in Chrome AND FIREFOX. Firefox was
complaining about Webpack’s definition of String.prototype.split and secure Nginx reverse
proxy server in front of unsecured WebSocket communication between my Haskell
WebSockets server and Cycle.js. I thought this is what I originally had in /etc/nginx/sitesenabled/schalk.net but I don’t know what else I changed. I had a Warp server behind Index.html
with scripts including the Webpack bundle.js file but that is currently stopped. Anyway, thank
you for a great tutorial and here’s /etc/nginx/sites-enabled/schalk.net:
server {
#
listen 80;
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
15/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
#
listen [::]:80;
#
listen 443;
#
listen [::]:443;
root /var/www/schalk.net/html;
index index.html ;
server_name schalk.net;
location / {
# switch on logging
access_log on;
# redirect all HTTP traffic to http://127.0.0.1:3055
proxy_pass http://127.0.0.1:3055;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 259200;
}
Automatically inserted by Certbot:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/schalk.net/fullchain.pem; # managed by C
ssl_certificate_key /etc/letsencrypt/live/schalk.net/privkey.pem; # managed by
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = schalk.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name schalk.net;
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
16/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
return 404; # managed by Certbot
}
Reply
Report
eli236fcd793f00c4fce2349e6
0
November 5, 2019
I was able to enable the SSL by changing the server_name to a domain name instead of IP.
But i can no longer access thru ssh. How can i access now thru ssh?
Reply
fpschalk
0
Report
July 18, 2018
I know very little about system administration. l uploaded my WebSockets/Cycle.js executable,
put a little Upstart script in /etc/init, and my site went live on the Internet. It was like magic. I
went back to writing project code and didn’t give Upstart a second thought.
Trying to run my executable, which is a Haskell-compiled WebSocket server / Cycle.js app
combination, was a different story. The magic was gone. While trying to make it go live on the
Internet, I wrote some nonsensical comments below. I meant well, but now I think reading my
comments would be a waste of time. I will delete them when I figure out how.
Reply
Report
sneakycr0w
1
July 23, 2018
Edit suggestion: Add step after adding the repository to sudo apt update . I had to run that for
Ubuntu to see the python-certbot-nginx package
Reply
Report
alieus
0
September 1, 2018
Are you sure you are on 18.04?
Reply
Report
sneakycr0w
0
I definitely was yea.
Reply
tobiasoleary
1
September 21, 2018
Report
August 1, 2018
Under Step 1 - Installing Cerbot after adding the repository. sudo add-apt-repository
ppa:certbot/certbot You’ll probably need to run sudo apt update .
Reply
Report
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
17/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
esteban93
1
August 16, 2018
Great tutorial! I am happy I found Digitalocean services and their amazing documentation. Keep
up the good work guys!
Reply
Report
johntrapper
0
August 20, 2018
thanks. this tutorial saved my day
edited by AHA
Reply
Report
mokoshiba
0
August 29, 2018
thanks, good tutorial to get started
Reply
Report
PathToEternity
0
September 19, 2018
I have been following the guides for installing WordPress on Ubuntu as part of a larger personal
project of mine to migrate a site from one droplet to another. The former I had setup awhile
back and I had lazily not setup SSL encryption for HTTPS connections, but I was on this one.
As part of the following the guide I setup port 80 requests to forward to https:// and before
adjusting my DNS settings to point to the new site I tested encryption without a CA using just
the new IP address.
After everything appeared to be working I changed my DNS entries from the old IP address to
the new one and… suddenly pulling up my site only gave me the nginx landing page. I also had
already made sure to update my .conf file from the new IP address to the domain name instead.
It occurred to me that it might be the redirection that was causing the problem (I was trying to
confirm success at each step rather than implement all changes at once) so went ahead with
this guide and it did solve the problem.
Mostly posting this in case anyone else finds themselves in a similar situation at some point
and stumbles across this while searching for a solution.
(I can follow guides and do basic troubleshooting but most of this stuff is outside my
wheelhouse.)
Reply
Report
machu
0
October 15, 2018
Hi, I followed your tutorial and after restart NGINX and network configuration, I am just seeing
the NGINX site. It should request the http://localhost:4000 (server side rendering index.html)
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
18/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
but it didn’t work. I have also add the A records like www -> @ and test.com -> host ip
What I am doing wrong?
server {
server_name test.com www.test.com;
location / {
proxy_pass http://localhost:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem; # managed by Certb
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.test.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = test.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
Reply
Report
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
19/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
carlier74
0
November 7, 2018
There’s a problem with the last step in step 1 (installing Python). The solution that worked for me
is here:
https://github.com/certbot/certbot/issues/6362
sudo add-apt-repository universe
sudo apt-get update
then install certbot
Reply
Report
carlier74
1
November 8, 2018
For step 5 (checking if auto-renewal is set up correctly) I had to restart nginx for a successful
dry-run.
Reply
Report
newskooler
0
July 23, 2019
Thank you! I wasted some time figuring this out. Anyone running GitLab (and hence
another nginx) may get this issue, as port 80 will be used by GitLab’s Nginx. (at least for me
that was the case).
Reply
Report
brianmromano
0
December 26, 2018
Hello everything went great until I hit a problem in step four. When it goes to obtain a new
certificate, it says it can not find the www.example.com version of my domain name. The
challenge for the example.com seems to be fine.
Error Detail says: DNS problem: SERVFAIL looking up A for www.example.com
I double checked to make sure I have a A record for www.example.com. I just added the record
a few mins before getting to this step. Is it possible it just hasn’t taken effect yet or did I maybe
set up that record wrong? Thanks for any help!
Reply
Report
olatundesamuel2018
0
December 30, 2018
I found that you have to update apt after adding the certbot repo with: sudo apt update before
installing certbot else it gives ‘unable to locate python-certbot-nginx’
Reply
Report
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
20/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
Load More Comments
This work is licensed under a Creative
Commons Attribution-NonCommercialShareAlike 4.0 International License.
BECOME A CONTRIBUTOR
You get paid; we donate to tech
nonprofits.
CONNECT WITH OTHER DEVELOPERS
Find a DigitalOcean Meetup
near you.
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
21/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
GET OUR BIWEEKLY NEWSLETTER
Sign up for Infrastructure as a
Newsletter.
Featured on Community Kubernetes Course Learn Python 3 Machine Learning in Python
Getting started with Go Intro to Kubernetes
DigitalOcean Products Droplets
Managed Databases Managed Kubernetes
Marketplace
Spaces Object Storage
Welcome to the developer cloud
DigitalOcean makes it simple to launch in the
cloud and scale up as you grow – whether you’re
running one virtual machine or ten thousand.
Learn More
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
22/23
13/2/2020
How To Secure Nginx with Let's Encrypt on Ubuntu 18.04 | DigitalOcean
© 2020 DigitalOcean, LLC. All rights reserved.
Company
Products
About
Products Overview
Leadership
Pricing
Blog
Droplets
Careers
Kubernetes
Partners
Managed Databases
Referral Program
Spaces
Press
Marketplace
Legal & Security
Load Balancers
Block Storage
Tools & Integrations
API
Documentation
Release Notes
Community
Contact
Tutorials
Get Support
Q&A
Trouble Signing In?
Tools and Integrations
Sales
Tags
Report Abuse
Product Ideas
System Status
Meetups
Write for DOnations
Droplets for Demos
Hatch Startup Program
Shop Swag
Research Program
Currents Research
Open Source
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
23/23
