Introduction

Securing your website with HTTPS is a mandatory step for modern web deployment. It encrypts the traffic between your server and your users, ensuring privacy and security. Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that makes this process incredibly simple.

In this tutorial, we will install the Let's Encrypt client (Certbot) on Debian-based systems (including Debian, Ubuntu, and their derivatives), configure Nginx, and set up automatic certificate renewal. Certbot is available directly in the default repositories of most modern distributions, making the installation process smooth and straightforward.

Step 1: Install Certbot

First, ensure your package lists are up to date to avoid installing outdated software.

Update your package index:

Next, install the core Certbot package along with the Nginx plugin. This plugin helps automate the configuration of Nginx, saving you from manual edits later.

Install Certbot and the Nginx python3 plugin:

Step 2: Configure Nginx

Certbot needs to be able to find the correct server block in your Nginx configuration to verify your domain ownership. It looks for the server_name directive that matches the domain you are requesting a certificate for.

Open your site's configuration file (usually located in /etc/nginx/sites-available/):

Find the server_name line and ensure it includes both your root domain and the www subdomain.

Update the configuration file:

Save the file and exit the editor.

Step 3: Obtain the SSL certificate

Now that Nginx is aware of your domain, you can run Certbot to request the certificate. We use the --nginx flag to tell Certbot to use the plugin we installed earlier. This will handle the challenge and automatically update your Nginx config to serve traffic over HTTPS.

Run Certbot to obtain the certificate:

During this process, Certbot will ask if you want to redirect all HTTP traffic to HTTPS. It is highly recommended to select Redirect to ensure all traffic is encrypted.

Step 4: Verify auto-renewal

Let's Encrypt certificates are valid for 90 days. However, the Certbot package we installed creates a systemd timer that checks for expiring certificates twice a day and automatically renews any that are within 30 days of expiration.

To make sure this process works correctly, you can perform a dry run (a test simulation):

If you see no errors, your automatic renewal is set up correctly.

Step 5: Reload Nginx

Finally, although Certbot usually reloads Nginx automatically, it is good practice to ensure the web server is running with the latest configuration and certificates loaded.

Restart the Nginx service:

Conclusion

You have successfully secured your Linux server with a free SSL certificate from Let's Encrypt. Your Nginx configuration has been updated to use HTTPS, and automatic renewal is enabled. You can now verify the security of your domain by visiting it in a browser or testing it with an SSL checker tool.