NGINX installation (with Let’s Encrypt)

This article will help you set up an NGINX server. It will also cover how to set up SSL certificates using Let’s Encrypt, and how to automagically renew them.

Prerequisites

NGINX is a lightweight web server, so it is able to run on very few resources (quora.com). However, depending on your needs you might need more resources. For my server, I used the following resources:

• 1 CPU
• 512 MB of Memory

Additionally, you will have to open port 80 (TCP) and port 443 (TCP) for HTTP and HTTPS traffic.

For future notice, the NGINX changelog can be found at nginx.org.

Installation

To install NGINX simply run apt-get install nginx. After installation, the default NGINX webpage can be found at the server’s IP address.

Adding a configuration to NGINX

To add a configuration to NGINX start by adding your website file (YOUR_SITE.conf) to /etc/nginx/sites-available. A simple configuration is shown below, but be aware it might be more complex for your situation.

server {
        listen 80;
        listen [::]:80;

        server_name example.com;

        access_log /var/log/nginx/example-access.log;
        error_log /var/log/nginx/example-error.log;

        root /var/www/example.com;
        index index.html;

        location / {
                try_files $uri $uri/ =404;
        }
}

To enable your site make a link to /etc/nginx/sites-enabled using:

ln -s /etc/nginx/sites-available/YOUR_SITE.conf /etc/nginx/sites-enable/YOUR_SITE.conf

To validate if the configuration is ok, run nginx -t.
If the configuration is ok, NGINX can be reloaded by nginx -s reload.

Adding SSL certificates with Let’s Encrypt

To be able to add SSL certificates from Let’s Encrypt the certbot package must be installed. Do this by running apt-get install python3-certbot-nginx.

To secure your web server run certbot --nginx. It will prompt you to give an email address for renewal and security notices, either fill in your email address or enter c. Now read and accept the terms of service. It will now prompt you to optionally share your information with the Electronic Frontier Foundation, and choose whether you want to share or not. Finally, it will show you, your domain names, and choose the one you want to secure. Certbot will secure this domain for you.

The SSL certificate will expire. To update the certificate you can run certbot renew. However, we don’t want to run that command every 3 months or so. Therefore, you can add a cron job, to do that run crontab -e. Select your preferred editor and add the following to the file:

# Update the SSL certificates once a month
0 0 1 * * /usr/bin/certbot renew --quiet

Make sure that you verify the timing and the command thoroughly since testing a cron job is rather difficult.

Deleting SSL certificates with Let’s Encrypt

In case you want to delete a certificate which is no longer valid, you can use certbot delete --cert-name __CERT_NAME__. To view your certificates either run certbot certificates or certbot renew

Sources

• Complete Guide to NGINX Configuration (linode.com)
• Controlling NGINX Processes at Runtime (docs.nginx.com)
• HTTPS support for GitLab behind proxy [duplicate] (serverfault.com)
• Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX (nginx.com)
• How to stop renewing a letsencrypt/certbot certificate? (stackoverflow.com)