Open in app

Sign in

Write

Sign in

How to add a free SSL Certificate to your website?

Deepa Jarout
4 min readMay 25, 2022

SSL/TLS Certificate by deepajarout

All the websites that hope to attract users should include SSL/TLS encryption for their domain. SSL/TLS certificates make sure that there is a safe connection between your web server and the user’s browser.

Let’s Encrypt” is an authority that allows you to get a free certificate for your domain and give your web server much-needed protection. It is the easiest method by which you can secure your Nginx server.

Step 1: Install Certbot

The software named Certbot is an open-source tool for automatically enabling HTTPS using Let’s Encrypt certificates.

To install Certbot start by opening a terminal window and updating the local repository:

sudo apt update

Then, download and install Certbot and its Nginx plugin by running:

sudo apt install certbot python3-certbot-nginx

Type y to confirm the installation and then hit Enter.

Step 2: Check Nginx Configuration

By now you must already have a registered domain and an Nginx server block for that domain. As an example, this article uses the domain demo.com. To check whether it is set up correctly, open the Nginx configuration file:

sudo nano /etc/nginx/sites-available/demo.com

Then, locate the server_name directive and ensure that it is set to your domain name. If you want to include the domain name both with and without the www. prefix then the line should look like the one below:

server_name demo.com www.demo.com;

Note: If you make any changes to the Nginx configuration file, always remember to save the modified file. Then, check the configuration syntax with the command sudo nginx -t and restart the service with sudo systemctl reload nginx.

Step 3: Adjust Firewall to Allow HTTPS Traffic

The next step is to modify the firewall to authorize HTTPS traffic.

If you have followed the installation guide of the Nginx then you must have already enabled your firewall to allow Nginx HTTP. As you are adding Let’s Encrypt certificates, you need to configure the firewall for encrypted traffic.

  1. To make sure that your firewall is active and is allowing the HTTPS traffic, run the command:

sudo ufw status

If it shows inactive just enable the firewall using the following command

sudo ufw enable

The output would tell you that the UFW is active and will also give you a list of the set rules. The following example shows that the firewall allows Nginx HTTP traffic, but not HTTPS.

Nginx has the following three profiles you can add as rules:

  1. -Nginx HTTP (opens port 80)
  2. Nginx HTTPS (opens port 443 — encrypted traffic)
  3. Nginx Full (opens ports 80 and 443)

To allow encrypted traffic, you can either add the Nginx HTTPS profile or use Nginx Full and delete the existing Nginx HTTP rule:

a) Allow Nginx HTTPS traffic by running the command:

sudo ufw allow 'Nginx HTTPS'

b) Remove Nginx HTTP and use Nginx Full instead with:

sudo ufw deny 'Nginx HTTP' sudo ufw allow 'Nginx Full'

To verify that you have added a rule that allows HTTPS traffic, use the UFW status command.

Step 4: Obtain the SSL/TLS Certificate

Nginx’s plugin for Certbot reconfigures Nginx and reloads its configuration when it is required. Now, the one thing that you need to do is generate certificates with the NGINX plug‑in.

  1. To do so, run the command:

sudo certbot --nginx -d demo.com -d www.demo.com

2. The output would ask you to configure your HTTPS settings. At that time enter your email address and agree to the terms of service to continue.

3. Once the configuration of HTTPS is completed. The Certbot would complete generating the certificate and would reload Nginx with the new settings.

4. Lastly, the output would display that you have successfully generated a certificate and would also specify the location of the certificate on your server.

Step 5: Enable Automatic Certificate Renewal

The Let’s Encrypt certificates would expire after 90 days. So, Nginx recommends setting up an automatic renewal cron job.

  1. First of all open the crontab configuration file for the current user:

crontab -e

2. Now, add a cron job that runs the Certbot command, which renews the certificate if it detects the certificate will expire within 30 days. Schedule it to run daily at a specified time (in this example, it does so at 06:00 a.m.):

0 6* * * /usr/bin/certbot renew --quiet

When we include the — quiet attribute to the cron job, as in the command above, this instructs Certbot not to include any output after performing the task.

3. After adding the cron job, save the changes and exit the file.

Sign up to discover human stories that deepen your understanding of the world.

Ssl
TLC
Lets Encrypt
Certificate
Ssl Certificate

Deepa Jarout
Deepa Jarout

Written by Deepa Jarout

533 Followers
39 Following

I am Software developer.I like problem solving, traveling, photography, dancing, video games, conversation.I like to explore new places with different tradition

Responses (1)

Write a response

What are your thoughts?

More from Deepa Jarout

See all from Deepa Jarout

Recommended from Medium

Lists

How to Lead Well as a New Manager

14 stories828 saves
A grid of happy, colorful animals, including a rabbit, porcupine, and chameleon

Icon Design

39 stories506 saves

Generative AI Recommended Reading

52 stories1691 saves

Medium's Huge List of Publications Accepting Submissions

414 stories4678 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams