October 18, 2016 · Setup Guides Nginx

Nginx + SSL in Ubuntu 14.04 using Letsencrypt and Certbot

In this breif guide, we set up SSL for a site running behind Nginx using certbot-auto in standalone mode.

Step 1 - Prerequisites

  1. Allow 443 on your firewall. If you, or your provider, has a firewall set up, make sure port 443 is open for inbound traffic.

  2. Add 'A' record in your DNS settings. Let's Encrypt will require your DNS settings to explicitly specify the subdomain you are making a certificate for. In our case, we are creating a certificate for blog.benjie.me.

Step 2 - Install SSL Certificate

Download and install certbot-auto

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Obtain a certificate in standalone mode. This will temporarily use Port 80, so you'll have to turn off Nginx.

sudo service nginx stop
certbot-auto certonly --standalone -d blog.benjie.me
sudo service nginx start

Generate Diffie-Hellman group.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Update /etc/nginx/sites-available/...

server {
    listen 80;
    server_name blog.benjie.me;
    return 301 https://$host$request_uri;

# HTTPS server
server {
    listen 443 ssl;
    server_name blog.benjie.me;
    ssl_certificate /etc/letsencrypt/live/blog.benjie.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.benjie.me/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    location / {
        proxy_pass http://localhost:2368;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

Step 3 - Auto Renewal

Test auto-renew command

certbot-auto renew

The output should look like this:

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/blog.benjie.me/fullchain.pem (skipped)
No renewals were attempted.

Setup crontab

sudo crontab -e

Append this at the end of the file:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload