How To Secure Nginx with Let's Encrypt Using Certbot

1. Installing Certbot

sudo apt install certbot python3-certbot-nginx

2. Nginx Configuration

Certbot should to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL for your domain. To achieve this it looks for a server_name directive that matches the domain name for which SSL certificate is requested.

To check, open the configuration file for your domain using vi or your favorite text editor:

sudo nano /etc/nginx/sites-available/yourdomain.com

It should look like this:

...
server_name yourdomain.com www.yourdomain.com;
...

If it doesn’t, update it to match the required configurations. Then save and close the file. Now verify the syntax of your configuration:

sudo nginx -t

If you get an error, reopen the server block file and check for errors on mentioned line number. Now check again for configuration block syntax and reload Nginx to reflect the latest changes:

sudo service nginx reload

3. Obtaining an SSL Certificate

To use this plugin, type the following:

-d to specify the domain names.

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

If certbot successfully passed challenge ,it will prompt to configure your HTTPS settings.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER.

Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5. Verifying Certbot Auto-Renewal

You can check the status of the timer with systemctl:

sudo systemctl status certbot.timer
Output
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2023-11-20 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2023-11-20 09:22:32 UTC+5; 9h left
   Triggers: ● certbot.service

To verify the renewal process:

sudo certbot renew --dry-run

If you see no errors, you’re good to go. Certbot will renew your certificates and reload Nginx service to reflect latest changes, when required.