In the last lesson we've looked at how to add domain in our Server. Now in this lesson we're going to look at how to secure the Nginx in our Server by setting up SSL.

We're going to use Let's Encrypt which is Certificate Authority (CA) that provides an easy way to obtain and install free TSL/SSL certificate. And we'll install software client called certbot which is an easy-to-use client that fetches a certificate from Lets Encryptan open certificate authority launched by the EFF, Mozilla, and othersand deploys it to a web server.

Alright, let's head over to our terminal window where we're login to our remote server. And the first thing that we need to do is installing the certbot package. But since the package not available in Ubuntu official repository, we need to add apt-repository from ppa:certbot/certot as follow.

sudo add-apt-repository ppa:certbot/certbot

You will get confirmation message to add the package. Just hit Enter to proceed.

Once it added we can install the package by typing this command.

sudo apt install python-certbot-nginx

You will get another confirmation about certbot installation. Answer y to continue.

Now before we install the SSL with certbot we need to allow Nginx to able to communicate with HTTPS. If we see our firewall status, will find it only allow Nginx HTTP.

In this case we have to modify the rule in two options:

  1. Allow 'Nginx HTTPS' which allow Nginx to communicate HTTPS only, or

  2. Allow 'Nginx Full' which allow Nginx to communicate with both HTTP or HTTPS.

In my case I'll modify the rule to allow Nginx Full and remove the Nginx HTTP.

sudo ufw allow 'Nginx Full'sudo ufw delete allow 'Nginx HTTP'

Now if we see the ufw status we'll see the rule has been changed.

With allow Nginx Full now we can set up the SSL in our server by utilizing the certbot.  Let's generate SSL Certificate by running this command.

sudo certbot --nginx

You will then get a prompt to enter your email. Just enter your name and hit Enter to continue.

Enter email address (used for urgent renewal and security notices) (Enter 'c' tocancel):

Next, you will get another prompt to accept user agreement. Just hit A then hit Enter to accept the agreement.

Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: A

Next, you will get another prompt to share your email. In this case you can answer N.

Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: N

Next prompt is a prompt asking which names would you like to activate the HTTPS. This prompt might appear when you enter more than one name in server_name in Nginx configuration. In my case I'll leave blank then hit Enter to select all options.

Which names would you like to activate HTTPS for?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: laraveldemo.site2: www.laraveldemo.site- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel):

Last, you will get a prompt asking you to choose whether or not to redirect HTTP traffic to HTTPS. Choose 1 to not redirect or 2 to redirect. In my case I'll choose option number 2.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

The Certbot will update Nginx configuration and tell Nginx to reload it to pick up the new settings. It will also tell you that the process was successful and where your certificate were stored.

Now if you refresh your site you'll see in your browser's address bar it's now being https instead of http.

Congratulations! now you have SSL setup in your server. As noted that Let's Encrypt's certificates are only valid for ninety days. But don't worry because certbot takes care of this for us by adding renew script that automatically twice a day.

You can optionally test the renewal process by running this command.

sudo certbot renew --dry-run