Boost Your Website’s Security: NGINX and SSL Setup with Certbot Made Easy
Source: Dev.to
Website security is now essential in today’s digital environment. Securing your website with HTTPS has become essential for trust, performance, and search engine ranking due to the increase in cyber threats and users’ growing awareness of privacy. SSL/TLS certificates are necessary for any serious online presence because search engines favor encrypted websites and modern browsers actively alert users when a website is not secure.
One of the most widely used web servers, NGINX, powers millions of websites globally and is renowned for its excellent performance and stability. It offers a quick, safe, and dependable basis for serving web content when paired with SSL encryption. However, because of the complexity of configuration and certificate management, setting up SSL can be intimidating for many developers and system administrators.
Here’s where Certbot makes things easier. Certbot eliminates a significant portion of the manual labor typically involved in HTTPS setup by automating the purchase, installation, and renewal of free SSL certificates from Let’s Encrypt. In this guide we’ll:
- Install NGINX.
- Secure it with SSL using Certbot.
- Ensure your website stays safe with little to no maintenance.
Installing and Configuring NGINX on Ubuntu
Installing and configuring a web server is the first step before using SSL to secure your website. We’ll use NGINX, a high‑performance, lightweight web server that is frequently used for reverse proxying and serving web applications.
Prerequisites
- An Ubuntu server (18.04, 20.04, or later)
- A non‑root user with
sudoprivileges - A registered domain name pointing to your server’s IP address
Install NGINX
sudo apt update
sudo apt install nginxOnce installed, NGINX automatically starts running on your server. Verify that it’s active:
sudo service nginx statusAlternatively, open your server’s public IP address in a browser. If NGINX is working correctly, you should see the default “Welcome to NGINX” page.
Configure a Server Block
NGINX uses server blocks (similar to virtual hosts in Apache) to manage multiple websites on a single server.
cd /etc/nginx/sites-enabledCreate a new configuration file for your domain (replace proxy with a meaningful name):
sudo nano proxyAdd the following configuration (replace placeholders with your actual values):
server {
listen 80;
listen [::]:80;
server_name YOUR-DOMAIN-NAME;
location / {
proxy_pass http://localhost:PORT/;
}
}Configuration breakdown
listen 80;– Listens for incoming HTTP traffic.server_name– Your actual domain (e.g.,example.com).proxy_pass– Forwards requests to an application running locally (such as a Node.js or backend service).PORT– The port your application is listening on (e.g.,3000).
Save and exit the file (CTRL + O, then CTRL + X).
Test NGINX Configuration
Before applying changes, always test the configuration syntax:
sudo nginx -tIf the output shows “syntax is ok” and “test is successful”, you’re good to proceed.
Restart and Check Status of NGINX
sudo service nginx restart
sudo service nginx statusSecuring NGINX with SSL Using Certbot (Let’s Encrypt)
Enabling HTTPS is a crucial next step after NGINX has successfully served your application over HTTP. SSL/TLS encryption prevents man‑in‑the‑middle attacks, enhances user confidence, and improves search‑engine rankings.
Install Certbot Using Snap
On Ubuntu, the recommended way to install Certbot is via Snap, as it ensures you always receive the latest and most secure version.
sudo snap install core
sudo snap refresh coreInstall Certbot:
sudo snap install --classic certbotCreate a symbolic link so the certbot command is globally accessible:
sudo ln -s /snap/bin/certbot /usr/bin/certbotVerify the installation:
certbot --versionObtain and Install SSL Certificate for NGINX
Certbot can automatically detect your NGINX configuration and configure SSL with minimal input.
sudo certbot --nginxDuring the process, you will be prompted to:
- Enter your email address (used for renewal and security notifications).
- Agree to the Let’s Encrypt Terms of Service.
- Choose whether or not to share your email address with the Electronic Frontier Foundation.
- Select the domain(s) you want to activate HTTPS for.
- Decide if you want to redirect all HTTP traffic to HTTPS.
After the script finishes, Certbot will have:
- Obtained a trusted SSL certificate from Let’s Encrypt.
- Modified your NGINX server block to listen on port 443 with the appropriate
ssl_certificateandssl_certificate_keydirectives. - Set up automatic renewal (a systemd timer is installed by default).
Verify HTTPS
Open your domain in a browser using https://. You should see the padlock icon, indicating a valid certificate.
Automatic Renewal
Certbot’s renewal timer runs twice daily. To test the renewal process manually:
sudo certbot renew --dry-runIf the dry run succeeds, your certificates will renew automatically before they expire.
That’s it! Your NGINX server is now securely serving your site over HTTPS with a free Let’s Encrypt certificate that renews automatically. 🎉
Installing and Configuring SSL with Certbot (NGINX)
Prerequisites
- A server running NGINX
- A domain name that points to your server’s IP address
- Root or sudo privileges
Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginxObtain an SSL Certificate
Run the interactive Certbot command:
sudo certbot --nginxDuring the process you will be prompted to:
- Enter your email address (for renewal notifications)
- Agree to the Let’s Encrypt terms of service
- Select the domain(s) you want to secure
- Choose whether to redirect HTTP traffic to HTTPS (recommended)
Once completed, Certbot will:
- Generate an SSL certificate
- Update your NGINX configuration automatically
- Reload NGINX with HTTPS enabled
Verify HTTPS Configuration
After Certbot finishes, open your website in a browser using:
https://YOUR-DOMAIN-NAMEYou should now see a secure connection (🔒) in the browser’s address bar.
Automatic Certificate Renewal
Let’s Encrypt certificates are valid for 90 days. Certbot automatically sets up a renewal timer, but you can test it manually:
sudo certbot renew --dry-runThis test confirms that your SSL certificates will renew automatically without service interruption.