Knowledge Base Hub

Browse through our helpful how-to guides to get the fastest solutions to your technical issues.

Home  >  How-Tos  >  How to Secure Nginx with Let’s Encrypt on Ubuntu 20.04?
Top Scroll

How to Secure Nginx with Let’s Encrypt on Ubuntu 20.04?

 6 min

Let’s Encrypt is a (Certificate Authority) providing SSL/TLS certificates. These certificates provide a secure encryption between the data and the browser.  Certbot is a software client that automates the tasks of obtaining certificates and configuring web servers to use them. Currently, the process is fully automated on Apache and Nginx web servers.

In this guide, we explain the process of securing an SSL certificate for your Nginx on Ubuntu 20.04 by installing Certbot.

Before that there are prerequisites to consider for a hassle-free configuration.


  • Ubuntu 20.04 server. It must include sudo-enabled non-root users and a firewall.
  • Registered domain name. If not done yet, MilesWeb provides the relevant domains like .com, .net, .in and many more.
  • Set up both the DNS records for your server.
  • There should be an DNS “A” record with the site pointing to your server’s public IP address.
  • A record pointing to the public IP address of your server with
  • Get Nginx installed and a server block for your domain.

Steps to Secure Nginx with Let’s Encrypt on Ubuntu 20.04

1. Installing Certbot

Obtaining an SSL certificate with Let’s Encrypt requires installing the Certbot software on the server.

With the Nginx plugin for Certbot, users can install it as follows:

sudo apt install certbot python3-certbot-nginx

Certbot is now ready for use, but we need to verify some Nginx configurations before it automatically configures SSL for Nginx.

2. Confirming Nginx’s Configuration

For Certbot to be able to automatically configure SSL, it needs to be able to locate the correct server block in Nginx configuration. This works by searching for a ‘server_name’ directive that corresponds to the domain for which you are requesting a certificate.

You should already have a server block for  the domain at /etc/nginx/sites-available/ with the server_name directive set appropriately if followed the Nginx installation tutorial.

In nano or any text editor, open the configuration file for  the domain:

sudo nano /etc/nginx/sites-available/

Check to see if there is a server_name line already present. The format should be as follows:

server_name; ...

Continue to the next step if it does.

Update it if it doesn’t. Verify the syntax of its configuration edits after saving the file, quitting the editor:

sudo nginx –t

If users experience any error, reopen the server block file to evaluate any typos. Remove errors and keep the right syntax. Then, reload Nginx to deploy the new configuration through the following command.

sudo systemctl reload nginx

Certbot easily find and update the correct server block

Next, allow HTTPS traffic to update the firewall settings.

3. Allowing HTTPS Through the Firewall

Next, users  will have to adjust settings to allow HTTPS traffic. Before that, ensure the ufw firewall is enabled. It is recommended as the major prerequisite for a hassle-free installation process. When Nginx is installed, it automatically registers a few profiles with ufw.

Check out the current setting by entering the following command in the terminal.

sudo ufw status

Here are the output users get while allowing HTTP traffic to the web server.


Status: active

To                         Action      From

—                         ——      —-

OpenSSH                    ALLOW       Anywhere                 

Nginx HTTP                 ALLOW       Anywhere                 

OpenSSH (v6)               ALLOW       Anywhere (v6)            

Nginx HTTP (v6)            ALLOW       Anywhere (v6)

In order to allow HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile:

sudo ufw allow 'Nginx Full' sudo ufw delete allow 'Nginx HTTP'

Enter this command to get final status.

sudo ufw status

The final output.

Status: active

To                         Action      From

—                         ——      —-

OpenSSH                    ALLOW       Anywhere

Nginx Full                 ALLOW       Anywhere

OpenSSH (v6)               ALLOW       Anywhere (v6)

Nginx Full (v6)            ALLOW       Anywhere (v6)

Next, fetch SSL certificates by running Certbot.

4. Get an SSL Certificate

Certbot has several plugins from which users can obtain SSL certificates. Nginx plugin helps in reconfiguring Nginx and reloading the config when required. Enter the following command to enable the plugin.

sudo certbot --nginx -d -d

By using -d, we specify the domain names for which the certificate should be valid when we run certbot with the –nginx plugin.

Your first time using certbot will require you to enter your email address and agree to the terms of service. Certbot will then communicate with the Let’s Encrypt server, and run a challenge to verify that you control the domain you’re requesting a certificate for.

You’ll be prompted to configure your HTTPS settings if that’s successful.


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you’re confident your site works on HTTPS. You can undo this

change by editing your web server’s configuration.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

Hit ENTER after selecting your choice. Latest configurations will get updated and Nginx will reload with new settings.

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. Then, Certbot gives a closure message showing the installation process successful.



 – Congratulations! Your certificate and chain have been saved at:


   Your key file has been saved at:


   Your cert will expire on 2020-08-18. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the “certonly” option. To non-interactively renew *all* of

   your certificates, run “certbot renew”

 – If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt:  

   Donating to EFF:                                 

Great, your certificates are downloaded and loaded. Reload the website using https:// and check the browser’s security indicator. Ensure websites have the lock icon. But your job is not done yet. Let’s Encrypt certificates are valid till 90 days only. Hence, completing the renewal process is mandatory.

5. Auto Renewal of Certificates

Certbot encourages users to automate their certificate renewal process. Use certbot to do a dry run of the renewal process.

sudo certbot renew --dry-run

All you need to do is check for errors. Whenever necessary, Certbot will renew your certificates and reload Nginx. Let’s Encrypt will send you an email warning users when their certificate expires if the automated renewal process ever fails.

Key Takeaways

In this guide, readers successfully learnt to set up the Let’s Encrypt certbot client, acquiring SSL certificates for their domain, adjusted Nginx settings to utilize these certificates, and arranged for automatic certificate renewals. For further information, kindly connect with our technical engineers.

For our Knowledge Base visitors only
Get 10% OFF on Hosting
Special Offer!
Claim the discount before it’s too late. Use the coupon code:
Note: Copy the coupon code and apply it on checkout.