How To Secure and Encrypt Nginx with Let’s Encrypt on Ubuntu 20.04

Websites include SSL/TLS encryption for its domain to attract visitors. This article explains use of Certbot utility to obtain TLS/SSL certificates for Nginx on Ubuntu.

Secure Nginx with Let's Encrypt on Ubuntu


Any website that seeks to attract visitors needs to include TLS/SSL encryption for its domain. SSL free certificates ensure a safe connection between your web server like to secure and encrypt nginx and application browsers. Let’s Encrypt is a free, automated and open certificate authority that allows you to set up such protection for Nginx. Let’s Encrypt free SSL certificates are trusted by all major browsers and valid for next 90 days from the issue date.

This blog post explains simplest way to secure and encrypt Nginx running web server on Ubuntu 20.04 / 18.04 by obtaining Let’s Encrypt certificates using the Certbot utility and set up your certificates to renew it automatically.

  • Dependencies and Prerequisites
  • Installing Certbot Utility
  • Confirming Nginx’s Configuration
  • Allowing HTTPS Through the Firewall
  • Obtaining an SSL Certificate
  • Conclusion

First things first: Dependencies and Prerequisites

In order to follow this article, you’ll need to install following dependencies and prerequisites:

  • A sudo-enabled non-root or root user on local/remote machines.
  • A system running Ubuntu 20.04 or Ubuntu 18.04
  • Access to a command line terminal
  • Sudo or root privileges on local/remote machines
  • Nginx installed and set up
  • A registered domain name pointing to public IP
  • A server block configured for that domain name
  • Firewall is configured to accept connections on ports 80 and 443.

Step 1 — Installing Certbot

First things first step to secure and encrypt Nginx with Let’s Encrypt is to install Certbot fully-featured and easy to use package for obtaining and renewing Let’s Encrypt SSL certificates on your server. To do so, start by opening a terminal on ubuntu and updating the local repository. Type y and ENTER if prompted.

sudo apt update
sudo apt install certbot python3-certbot-nginx

Now let’s verify some of Nginx’s configuration settings.

Step 2 — Confirming Nginx’s Configuration

As explained in the dependencies and prerequisites section, you should already have a registered domain and certbot needs to be able to find the correct Nginx server block for that domain to automatically configure SSL. As an example, this blog post uses the domain and server block for your domain at /etc/nginx/sites-available/ with the server_name directive already set correctly.

To confirm, open the configuration file for your domain using nano or your favorite text editor:

sudo nano /etc/nginx/sites-available/

Find the existing server_name directive line in file /etc/nginx/sites-available/ . It should look like this:


Now verify the syntax of your Nginx configuration files and reload Nginx server to load the new configuration settings:

sudo nginx -t
sudo systemctl reload nginx

Certbot utility now can find the correct Nginx server block directive to secure nginx and updates it automatically. In next step, let’s update the firewall to allow HTTPS traffic.

Step 3 — Allowing HTTPS Through the Firewall

As recommended in this article prerequisites you’ll need to adjust the settings to allow for HTTPS traffic. To ensure that your firewall is enabled and active , run the below command:

sudo ufw status

The output should tell you UFW is active and give you a list of set rules. It only shows HTTP traffic is allowed to the web server. To allow encrypted traffic, you can either add the Nginx HTTPS profile or use Nginx Full and delete the existing Nginx HTTP rule. Allow Nginx HTTPS traffic by typing the command:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Verify https rule that allows HTTPS traffic by by typing the ufw status command:

sudo ufw status

Next, let’s run Certbot and fetch our certificates.

Step 4 — Obtaining an SSL Certificate

The Nginx’s plugin for Certbot will take care of reconfiguring Nginx and reloads its configuration when necessary. Therefore, onyl you need to generate certificates with the NGINX plug‑in by executing the following command:

sudo certbot --nginx -d -d

 If this is your first time running certbot utility then certbot asks you to configure your HTTPS settings. You will be prompted to enter an email address and agree to the terms of service. After hit ENTER, the configuration will be updated, and Nginx will reload to pick up the new settings. Finally, certbot will display with a message telling you that a certificate was successfully generated and where your certificates are stored.

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Let’s finish by testing the renewal process.

Step 5 — Verifying Certbot Auto-Renewal

Since Let’s Encrypt certificates expire every ninety(90) days and Nginx encourage users setting up and automatic renewal cron job. First, open the crontab configuration file for the current user:

sudo crontab -e

Add a cron job that runs the certbot command, which renews the certificate if it detects the certificate will expire within 30 days. Schedule it to run daily at a specified time e.g 05:00 a.m.

sudo certbot renew --dry-run

The cron job should also include the –quiet attribute, as in the command above. This instructs certbot not to include any output after performing the task. Enable automatic certificate renewal. Once you added the cron job, save the changes, and exit the file.


In this article, you installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain and configured Nginx to use these certificates. In addition, you should have enabled Certbot to renew certificates automatically.


You may find following links relevant:

What tools do you use? What do you monitor online?. If you have any questions, please get in touch.


About Yasir Saeed

Open Source Enthusiast. I spend almost all my days making sure everyone around containerize is happy by growing your website traffic and ranking . Please feel free to reach us via our open source forum