How to Secure Your Website with Let's Encrypt SSL, Nginx, and Certbot on Ubuntu
Ensuring your website is secure is crucial, especially if it involves sensitive data exchanges or user authentication. Moving from HTTP to HTTPS not only improves the trustworthiness of your website but also ensures it meets the best security standards. Here’s a comprehensive guide to making your site production-ready by enabling HTTPS and fine-tuning your server’s security settings.
Why HTTPS Matters
HTTPS (Hypertext Transfer Protocol Secure) protects data exchanged between users and your website by encrypting communication channels. This prevents attackers from intercepting or tampering with sensitive information. If your site handles login credentials, financial transactions, or personal information, HTTPS is essential.
Step 1: Obtain and Install an SSL/TLS Certificate
To enable HTTPS, you’ll need an SSL/TLS certificate installed on your web server. These certificates can be obtained from a Certificate Authority (CA). For this tutorial, we’ll use Let’s Encrypt, a free, automated CA, to generate the necessary certificate.
Using Certbot for Certificate Installation
Certbot is a simple, user-friendly tool for obtaining and installing SSL certificates. To begin, follow the steps below:
Disable Outdated TLS Versions: Before installing Certbot, it’s a good idea to disable outdated TLS versions on your server. TLS 1.0 and 1.1 are no longer considered secure and should be replaced with TLS 1.2 and 1.3. If you are using Nginx, you can update your configuration by modifying
/etc/nginx/nginx.conf.Replace the following line:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;With this:
ssl_protocols TLSv1.2 TLSv1.3;Verify your configuration:
sudo nginx -tInstall Certbot: On Ubuntu Focal (20.04) or later, install Certbot using
snap:sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbotConsult Certbot’s documentation if you are using other operating systems or web servers.
Step 2: Configure Security Group Rules for HTTPS Access
Before proceeding, ensure your VM’s security group allows HTTP and HTTPS traffic. Let’s Encrypt needs public internet access to validate your domain during the certificate generation process.
Update your inbound security rules to the following:
| Reference | Type | Protocol | Port Range | Source |
| 1 | HTTP | TCP | 80 | 0.0.0.0/0 |
| 2 | HTTPS | TCP | 443 | 0.0.0.0/0 |
| 3 | SSH | TCP | 22 | my-laptop-ip-address/32 |
| 4 | Custom | All | All | security-group-id |
These rules allow HTTP traffic on port 80 and HTTPS traffic on port 443, making your site accessible to the public over a secure connection.
Step 3: Generate and Install the SSL/TLS Certificate
With the proper security group settings in place, you’re ready to install the certificate. Use Certbot with Nginx by running:
sudo certbot --nginx --rsa-key-size 4096 --no-redirect
The
--rsa-key-size 4096flag generates a certificate with a strong 4096-bit RSA key.The
--no-redirectoption ensures Certbot doesn’t automatically redirect HTTP traffic to HTTPS, as you’ll manually handle redirection later.
After going through a few prompts, including your email and domain name (e.g., www.example.com,example.com), Certbot will generate your certificate and output the file locations:
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
The certificate will be renewed automatically by Certbot before expiration, ensuring continuous HTTPS coverage.
Step 4: Deploying the SSL Certificate
Certbot will also update your Nginx configuration to include the SSL certificate. Here’s an example of what your Nginx configuration (/etc/nginx/sites-available/your-site) might look like:
server {
server_name example.com www.example.com;
listen 80;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
}
location /static {
autoindex on;
alias /var/www/example.com/static/;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
Reload Nginx to apply the changes:
sudo systemctl reload nginx
Step 5: Finalize Security Rules for HTTPS
Now that your certificate is installed and Nginx is configured, ensure that your security rules allow HTTPS traffic. You’ll need to allow inbound traffic on port 443:
| Reference | Type | Protocol | Port Range | Source |
| 1 | HTTPS | TCP | 443 | 0.0.0.0/0 |
| 2 | HTTP | TCP | 80 | 0.0.0.0/0 |
| 3 | SSH | TCP | 22 | my-laptop-ip-address/32 |
This rule enables secure access to your site via HTTPS, while also maintaining access over HTTP for now.
Step 6: Verify HTTPS Functionality
Visit your website using HTTPS (e.g., https://www.example.com/yourapp/). If everything is set up correctly, you should see the secure padlock symbol in your browser, indicating that your site is being served over HTTPS.
If you're using Firefox, clicking on the padlock icon will display detailed information about the certificate, giving you peace of mind that your connection is secure.
Conclusion: Securing Your Site with HTTPS
You’ve successfully enabled HTTPS on your website, providing a more secure experience for your users. However, your site is still accessible over HTTP. The next step is to set up automatic HTTP-to-HTTPS redirects, ensuring all traffic is securely encrypted by default.
With HTTPS in place, you're one step closer to creating a production-ready, secure website that protects user data and inspires trust.
