Adding Let's Encrypt SSL certificates to nginx websites on Ubuntu

Let’s Encrypt is a certificate authority that is providing free SSL certificates. The process to acquire certificates is fully automated and is designed to make the creation and renewal of certificates as painless as possible.

This short post will describe the steps to get and configure certificates for a website hosted on ubuntu using nginx as webserver.

The first step is install the certbot tool. Ubuntu provides packages so the installation can be done with a simple

$ sudo apt-get install letsencrypt

The next step is to generate the certificate using certbot, the process creates some files in the root directory of the website, so access to the folder is required. Launching certbot with this command line does the trick

$ sudo letsencrypt certonly --webroot -w /var/www/munisso.com -d munisso.com

The command will generate the verification files in the specified folder and will look for them using the domain to be certified. If the verification process is successful, the certificates will be created in /etc/letsenctypt/munisso.com/

After creating the certificate we need to configure nginx to serve the website using SSL along with the unencrypted HTTP version. To do so we need to edit the nginx configuration file for the website (for example /etc/nginx/sites-available/munisso.com) and add the following configuration options

listen 443 ssl;
listen [::]:443 ssl;

ssl on;

ssl_certificate /etc/letsencrypt/live/munisso.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/munisso.com/privkey.pem;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/munisso.com/chain.pem;

Make sure to replace the domain name with the appropriate folder for your website. Restarting nginx or reloading the configuration will enable SSL on the website.