I'll show you how to use "Let’s Encrypt" (a Certificate Authority, or CA) to install free SSL certificate, thereby enabling encrypted HTTPS communication with your webserver.

Together with Certbot the entire process is mostly automated and requires few manual steps. In addition certbot will ensure your certificate renews automatically.

This tutorial builds on top of "Hosting a Website with nginx on Genesis Cloud", so make sure you've already set up Nginx and a static website.

The example-website domain we'll be using is the same as in the previous Nginx tutorials: intuitive.run

Step 1: Install Certbot

First, we need to add the certbot repository:

$ sudo add-apt-repository ppa:certbot/certbot

Confirm  with ENTER.

Then, let's update it:

$ sudo apt update

Now we can install the certbot-nginx package:

$ sudo apt install python-certbot-nginx

Step 2: Verify Nginx Config

In order to automatically configure SSL, certbot needs to find the right nginx server block. It does this, by checking the key server_name in the file /etc/nginx/sites-available/intuitive.run

If you've followed thee previous tutorial, this should already be correct. However, to make sure let's check it directly with the cat command (or any other text editor like nano):

Using the cat command you can check the key "server_name" in "intuitive.run"

Using the cat command you can check the key "server_name" in "intuitive.run"

It should say (with your domain name):

server_name intuitive.run www.intuitive.run;

Step 3: Adjusting the firewall and allowing HTTPS

Next, we need to check if the ufw (uncomplicated firewal) is allowing the right traffic (HTTPS in our case).

We do this by first checking the application configurations that ufw knows via:

$ sudo ufw app list

Per default, it should show four possible profiles:

The ufw app list shows four possble profiles

The ufw app list shows four possble profiles

These are:

  • Nginx Full: Opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
  • Nginx HTTP: Opens only port 80 (normal, unencrypted web traffic)
  • Nginx HTTPS: Opens only port 443 (TLS/SSL encrypted traffic)

  • OpenSSH: Opens only port 443 (to allow the ssh connection)

To check the active profiles type:

$ sudo ufw status

If it shows "Status: inactive", enable it with sudo ufw enable.

Which will show that Nginx Full (HTTP+HTTPS), Nginx (HTTP) and SSH is allowed (for IPv4 and IPv6):

Terminal output displaying the appropriate allowences

Terminal output displaying the appropriate allowences

As Nginx HTTP is redundant, we'll delete it:

$ sudo ufw delete allow 'Nginx HTTP'

After that the command $ sudo ufw status should reveal the following:

Terminal output after "sudo ufw status"

Terminal output after "sudo ufw status"


Step 4: Get the SSL Certificate

Certbot helps you actually getting the SSL certificate you need to enable HTTPS on your site. It will reconfigure Nginx and reload the config if necessary. To get started, type the following (replacing intuitive.run with your domain):

$ sudo certbot --nginx -d intuitive.run -d www.intuitive.run

After that it will ask you whether to redirect all traffic to HTTPS or not, so choose either 1 or 2:

Type either "1" or "2" when prompted

Type either "1" or "2" when prompted

Congratulations! You now have now a valid certificate for your domain. Check if it works by visiting your domain in a browser of your choice: www.intuitive.run

It should indicate that the site is HTTPS secured, usually with a lock next to the URL.

Step 5: Verify that your Certbot Auto-Renewal Works

Let’s Encrypt’s certificates are only valid for ninety days. The certbot package we installed takes care of this for us by adding a renewal script that runs twice daily to /etc/cron.d. This cron job will automatically renew any certificate if it's within thirty days of expiration.

To test the renewal process, you can type:

$ sudo certbot renew --dry-run

If you see no errors, your website is looking into a bright, certified and encrypted future with auto-renewal! :)