Nginx: generate a Let’s Encrypt certificate

After seeing how to install and configure Nginx as a reverse proxy and harden security with Crowdsec, I will explain in this tutorial how to generate a Let’s Encrypt certificate.

As a reminder, Let’s Encrypt is a free certification authority, which allows you to obtain SSL certificates for free.

If you want to generate SSL certificates on Windows, I recommend using Certify The Web.

For this tutorial, I used a server under Ubuntu 20.04 with Nginx installed which is used as a reverse proxy.

Install Certbot on Ubuntu

For the generation of Ubuntu (and linux generally) certificates, we use certbot.

Certbot is a program that will take care of performing domain validation checks to obtain the SSL certificate and configure the web server, the virtualhost to be more precise.Certbot va aussi se charger de renouveler le ou les certificats automatiquement.

The first step is to install Certbot for Nginx on the server, to do this enter the command below:

sudo apt install python3-certbot-nginx -y

The certbot is installed, we will now generate a certificate.

Generate a Let’s Encrypt certificate for Nginx with Certbot

To illustrate this tutorial, I will use the virtualhost below:

It is important in the configuration of the virtualhost, to indicate the parameter server_name.

As we can see on the configuration, the virtualhost is currently configured on port 80.

To launch the certbot program, use the command below:

sudo certbot

During the first execution, you must:

  • Indicate an email address
  • Accept the service contract
  • Indicate if you want to share the email address.

From there, here is how it happens when you want to generate a certificate:

The list of sites is displayed, enter the site number and validate.

Wait while requesting certificate…

Once the certificate is generated, the wizard asks if you want to redirect http to https, in the example I choose option 2.

A confirmation message is displayed and we recover control of the console.

If we look again at the configuration of the virtualhost, we can see the https configuration listening on port 443 and that the traffic on port 80 is redirected (301) to the site in https.

Auto renew

By default Certbot automatically renews the certificate before it expires and replaces it.

Below we can see the scheduled task (cron).