Get FREE 6 Months of Hosting + Genesis Framework, and 35+ StudioPress Themes with WPEngine Plan!

CLAIM THIS OFFER

Website Vidya

A Blog for Full-Stack Web Developers

How to Install Certbot on Ubuntu 24.04 Nginx: Easy Steps

grammarly square

This Post Was Proofread by Grammarly.

Get it for FREE
Table of Contents[Hide][Show]

In this tutorial, we’ll learn how to install Certbot on Ubuntu 24.04 Nginx to obtain a free SSL certificate and configure it for automatic renewal.

Let’s Encrypt is a Certificate Authority (CA) that makes it easy to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS for web servers. Using its software client, Certbot, the process is largely automated, simplifying the steps required to secure your website. Certbot fully automates obtaining and installing certificates for both Apache and Nginx.

To keep things organized, this tutorial will use a separate Nginx server configuration file rather than modifying the default file. Creating dedicated server block files for each domain helps prevent common errors and keeps the default configuration available as a fallback.

Prerequisites

To complete this tutorial, ensure you have the following:

  1. An Ubuntu server: You have an Ubuntu server, including a non-root user with sudo privileges and an active firewall.
  2. A registered domain name:
    • This tutorial uses example.com as an example.
    • You can register a domain through providers like Namecheap, Freenom (for free domains), or any domain registrar of your choice.
  3. DNS records configured for your server:
    Ensure the following DNS records are in place:
    • An A record pointing example.com to your server’s public IP address.
    • An A record pointing www.example.com to your server’s public IP address.
  4. Nginx installed: Follow the How to Install Nginx on Ubuntu guide and ensure a server block is configured for your domain.
    • This tutorial uses /etc/nginx/sites-available/example.com as an example for the server block file.

How to Install Certbot on Ubuntu 24.04 Nginx

Step 1 — Installing Certbot

Certbot recommends using its snap package for installation. Snap packages work on most Linux distributions but require the snapd service to manage them. On Ubuntu, snap support is available by default. Start by ensuring your snapd core is up-to-date:

sudo snap install core; sudo snap refresh core

If you have a previously installed version of Certbot, remove it to avoid conflicts before proceeding:

sudo apt remove certbot

Next, install the Certbot snap package:

sudo snap install --classic certbot

To make Certbot easier to run, link its binary to your system’s PATH so you can use it by typing just certbot. While this step isn’t always necessary, it helps prevent conflicts with other system packages:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

With Certbot installed, you’re ready to proceed and obtain your SSL certificate.

Step 2 — Confirming Nginx’s Configuration

For Certbot to automatically configure SSL, it needs to locate the correct server block in your Nginx configuration. It does this by searching for a server_name directive that matches the domain you’re requesting a certificate for.

If you followed the server block setup instructions from the Nginx installation tutorial, your server block file for the domain should already exist at /etc/nginx/sites-available/example.com, with the server_name directive properly configured.

To confirm, open the server block configuration file using nano or your preferred text editor:

sudo nano /etc/nginx/sites-available/example.com

Locate the server_name line. It should look something like this:

server_name example.com www.example.com;
  • If the line is correct, exit the editor and proceed to the next step.
  • If it’s missing or incorrect, update it to match the domains for your site. Then save the file, exit the editor, and verify your changes with the following command:
sudo nginx -t

If you encounter an error, reopen the file to check for typos or missing characters. Once the syntax check passes, reload Nginx to apply the changes:

sudo systemctl reload nginx

With Nginx properly configured, Certbot will now be able to find the correct server block and automatically update it.

Next, let’s adjust the firewall to allow HTTPS traffic.

Step 3 — Allowing HTTPS Through the Firewall

If you have the UFW firewall enabled (as recommended in the prerequisite guides), you’ll need to adjust its settings to allow HTTPS traffic. Fortunately, Nginx automatically registers several profiles with UFW upon installation.

Start by checking the current UFW settings:

sudo ufw status

You’ll likely see output similar to this, which indicates that only HTTP traffic is currently allowed:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx HTTP                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To allow HTTPS traffic, enable the Nginx Full profile and remove the redundant Nginx HTTP profile:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now, check the updated firewall status:

sudo ufw status

The output should look like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

With HTTPS traffic allowed through the firewall, you’re ready to run Certbot and obtain your certificates.

Step 4 — Obtaining an SSL Certificate

Certbot provides multiple plugins to obtain SSL certificates, and the Nginx plugin automates the process by reconfiguring and reloading Nginx when necessary. To use it, run the following command:

sudo certbot --nginx -d example.com -d www.example.com

This command runs Certbot with the --nginx plugin and uses the -d flag to specify the domains for which the certificate should be valid.

What to Expect

  • Email Address: You’ll be prompted to enter your email address and agree to the terms of service.
  • Success Message: Once the process completes, you’ll see a message like this:
IMPORTANT NOTES:
 - Successfully received certificate.
 - Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
 - Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
 - This certificate expires on 2022-06-01.
 - These files will be updated when the certificate renews.
 - Certbot has set up a scheduled task to automatically renew this certificate in the background.

Certbot will also automatically update your Nginx configuration to redirect all HTTP traffic to HTTPS.

Verifying Success

  1. Check Your Website: Reload your website in a browser. You should see a security indicator, such as a lock icon, confirming that your site is secured.
  2. SSL Labs Test: Test your server’s configuration using the SSL Labs Server Test. Your server should receive an A grade.

With your certificate installed and working, let’s finish by testing the renewal process.

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt certificates are valid for only 90 days, encouraging users to automate the renewal process. Fortunately, the Certbot package we installed includes a systemd timer that runs twice daily to automatically renew certificates that are within 30 days of expiration.

To check the status of this timer, use the following command:

sudo systemctl status snap.certbot.renew.service

You’ll see output similar to this:

○ snap.certbot.renew.service - Service for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
     Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer

Testing Certificate Renewal

To manually test the renewal process, perform a dry run with Certbot:

sudo certbot renew --dry-run

If the dry run completes without errors, your setup is working correctly. Certbot will automatically renew your certificates when needed and reload Nginx to apply the changes.

If Auto-Renewal Fails

In case the automated renewal process fails, Let’s Encrypt will notify you via the email address you provided during setup. This notification will warn you when your certificate is about to expire, giving you time to troubleshoot and renew it manually if necessary.

Your SSL certificate is now fully set up and configured to renew automatically!

Let me know if you need additional edits!

Conclusion

In this tutorial, you successfully installed Certbot, obtained SSL certificates for your domain, configured Nginx to use those certificates, and set up automatic certificate renewal to keep your site secure.

For additional information or advanced configuration options, refer to the official Certbot documentation. With HTTPS enabled and automatic renewals in place, your website is now equipped with a robust, secure connection.

Share this post:

Share on LinkedInShare on Pinterest
Category: Tag: ,
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x