In this section, we'll walk through the essential steps of obtaining and installing SSL/TLS certificates to secure your website with Nginx. This process involves acquiring a certificate and then configuring Nginx to use it.
There are several ways to obtain an SSL/TLS certificate. For beginners, using a free certificate authority like Let's Encrypt is highly recommended. They offer automated, short-lived certificates that are ideal for getting started. For production environments requiring longer validity periods or specific validation types, commercial Certificate Authorities (CAs) are also an option.
Let's Encrypt is a popular choice due to its ease of use and cost-effectiveness. The most common method to obtain Let's Encrypt certificates is by using a client tool, such as Certbot. Certbot automates the process of verifying your domain, obtaining the certificate, and even installing it on your web server.
To install Certbot, you'll typically use your operating system's package manager. The exact command will vary depending on your Linux distribution.
sudo apt update
sudo apt install certbot python3-certbot-nginxOnce Certbot is installed, you can use it to obtain and install your SSL certificate. This command will automatically detect your Nginx configuration and set up SSL for your specified domain(s).
sudo certbot --nginx -d your_domain.com -d www.your_domain.comCertbot will then guide you through a series of prompts, such as whether to redirect HTTP traffic to HTTPS. It's generally recommended to choose the redirect option for better security.
graph TD
A[Start: Obtain Certificate] --> B{Choose Certificate Authority}
B --> C[Let's Encrypt (e.g., Certbot)]
B --> D[Commercial CA]
C --> E[Install Certbot Client]
D --> F[Purchase Certificate & Download Files]
E --> G[Run Certbot Command]
G --> H{Verify Domain Ownership}
H -- Success --> I[Obtain Certificate Files]
H -- Failure --> G
I --> J[Install Certificate on Nginx]
J --> K[Configure Nginx to Use Certificate]
K --> L[Test SSL Configuration]
L -- Success --> M[End: Website Secured]
L -- Failure --> K
After Certbot has completed its task, it will usually modify your Nginx configuration files to point to the newly obtained certificate files. These files typically include a full chain certificate and a private key.
The primary Nginx configuration file for your site (often found in /etc/nginx/sites-available/ and symlinked to /etc/nginx/sites-enabled/) will be updated. You'll see directives like ssl_certificate and ssl_certificate_key pointing to the paths where Certbot has placed your certificate and key.
server {
listen 80;
server_name your_domain.com www.your_domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name your_domain.com www.your_domain.com;
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
# Other SSL configurations (protocols, ciphers, etc.)
root /var/www/your_domain;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}It's crucial to test your Nginx configuration after making any changes. This prevents Nginx from failing to start due to syntax errors.
sudo nginx -tIf the test is successful, you can reload Nginx to apply the new SSL configuration.
sudo systemctl reload nginxLet's Encrypt certificates expire every 90 days. Certbot, when installed via package managers, usually sets up a systemd timer or cron job to automatically renew your certificates before they expire. You can test the renewal process with this command:
sudo certbot renew --dry-runThis command simulates the renewal process without actually renewing the certificates. If it completes successfully, your automatic renewal should work correctly.