Configure Let’s Encrypt SSL with Nginx on Ubuntu 22.04


Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

sudo certbot --nginx -d -d
Code language: CSS (css)

This runs certbot with the --nginx plugin, using -d to specify the domain names we’d like the certificate to be valid for.

When running the command, you will be prompted to enter an email address and agree to the terms of service. After doing so, you should see a message telling you the process was successful and where your certificates are stored:

OutputIMPORTANT NOTES: Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<mark>your_domain</mark>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<mark>your_domain</mark>/privkey.pem This certificate expires on 2022-06-01. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: * Donating to EFF:
Code language: HTML, XML (xml)

Your certificates are downloaded, installed, and loaded, and your Nginx configuration will now automatically redirect all web requests to https://. Try reloading your website and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.

You can query the status of the timer with systemctl:

sudo systemctl status snap.certbot.renew.service
Code language: CSS (css)
Output○ snap.certbot.renew.service - Service for snap application certbot.renew Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static) Active: inactive (dead) TriggeredBy: ● snap.certbot.renew.timer
Code language: JavaScript (javascript)

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run

No Comments

Send Comment Edit Comment

 ̄﹃ ̄
∠( ᐛ 」∠)_
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
( ๑´•ω•) "(ㆆᴗㆆ)