How to install free SSL to nginx with let’s encrypt on ubuntu 18.04?

We can secure Nginx web server by installing a free SSL provided by let’s encrypt. On ubuntu 18.04 we can perform the following steps to install free SSL with Nginx web server:

The very first thing we need is to install certbot on ubuntu. The certbot is a client that fetches the free SSL certificate from let’s encrypt. This let’s encrypt is launched by the EFF, Mozilla.

Install certbot on ubuntu

To install certbot on ubuntu we need to SSH to the ubuntu server and do the following:

Add Certbot PPA

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

Install certbot

$ sudo apt-get install certbot python3-certbot-nginx

Once the certbot client is successfully installed we need to generate the certificate using the certbot command.

Generate an SSL Certificate using certbot client

Let’s consider we have a domain called example.com and we also have www.example.com and we want SSL both the variations of the domain. To generate the SSL with Nginx using certbot client we can run the following command:

$ sudo certbot --nginx -d example.com -d www.example.com

If we are running certbot first time, it will prompt to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that we control the domain.

If the verification is successful, certbot will ask how we like to configure your HTTPS settings:

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select the choice and then hit ENTER. If we do not want to manually change the configuration then we can choose option 2 for http redirect to https. The configuration will be updated, and Nginx will reload to pick up the new settings. The certbot will wrap up with a message telling you the process was successful and where the certificates are stored:

Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your_domain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your_domain/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The certificates are downloaded, installed, and loaded. We now should try loading the website using https:// and check browser’s security indicator.

Happy SSL!