How to Install Free SSL Certificate for Nginx on Debian 10

When setting up a website, one of the key considerations that you should have in mind is your site’s security. An SSL certificate is a digital certificate that encrypts data that is sent from a user’s browser to a web server. This way, data sent is confidential and safe from hackers who use packet sniffers like Wireshark to intercept and eavesdrop on your communication.

An encrypted site have a padlock symbol in the URL bar followed by the acronym https as shown in the following screenshot.

Check SSL Certificate on Website

Check SSL Certificate on Website

An unencrypted site usually has a “Not Secure” notification at the URL bar.

Prerequisites

Before we begin, ensure the following requirements have been satisfied:

  1. A running instance of Debian 10 Minimal Server.
  2. A running instance of Nginx Web Server with Domain Setup on Debian 10.
  3. A registered Fully Qualified Domain Name (FQDN) with the A record pointing to the IP address of the Debian 10 on your Domain Provider.

For this tutorial, we have tecmint.com pointed to the IP address 192.168.0.104.

In this article, we examine how you can install Let’s Encrypt SSL on Debian 10 to obtain a Free SSL Certificate for Nginx hosted site.

What is Let’s Encrypt SSL

Let’s Encrypt SSL is a free certificate from EFF (Electronic Frontier Foundation) that is valid for 3 months and auto renews upon expiry. It’s an easy and cheap way to encrypt your site if your pockets are tight.

Without much further ado, let’s dive in and install Let’s Encrypt on Nginx web server:

Step 1: Install Certbot in Debian 10

To start off we need to install Certbot – is a software that fetches the Let’s encrypt digital certificate and later deploys it on a web server. To accomplish this, we need to install the python3-certbot-nginx package. But before we do so, let’s first update the system packages.

$ sudo apt update
Update Debian System Packages

Update Debian System Packages

The next step is to install the dependencies required by python3-certbot-nginx package.

$ sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Now let’s install the python3-certbot-nginx package.

$ sudo apt install python3-certbot-nginx
Install Certbot on Debian

Install Certbot on Debian

Step 2. Verifying Nginx Server Block Configuration

For certbot to automatically deploy Let’s encrypt SSL certificate on Nginx web server, a server block needs to be configured. We covered configuration of Nginx server blocks on the last section of the previous article.

If you followed keenly, you should have a server block at /etc/nginx/sites-available/some_domain. In our case, the Nginx server block will be

/etc/nginx/sites-available/tecmint.com

In addition , ensure the server_name directive corresponds to your domain name.

server_name tecmint.com www.tecmint.com;

To confirm all Nginx configurations are in order, run:

$ sudo nginx -t
Check Nginx Configuration

Check Nginx Configuration

The output above indicates that all is well.

Step 3: Configure the Firewall to Open HTTPS Port

In case you have ufw configured and enabled, as is always recommended, we need to allow the HTTPS protocol across the firewall so that the web server is accessible to everyone.

$ sudo ufw allow 'Nginx Full'

Next, reload the firewall to effect the changes.

$ sudo ufw reload
Open Nginx Ports on UFW

Open Nginx Ports on UFW

To verify that we have allowed the protocol through the firewall.

$ sudo ufw status
Verify UFW Status

Verify UFW Status

Step 4: Deploying Let’s Encrypt SSL Certificate for Domain

With all the settings and configurations in check, it’s time to fetch and deploy Let’s Encrypt SSL certificate on domain site.

$ sudo certbot --nginx -d domain-name  -d www.domain-name.com 

In our case, we shall have

$ sudo certbot --nginx -d tecmint.com -d www.tecmint.com

In the first step, you will be prompted to Enter your email address. Type your address and hit Enter.

Add Email to Let's Encrypt

Add Email to Let’s Encrypt

Next, you will be asked to agree the terms of service. Type A to proceed.

Accept License Agreements

Accept License Agreements

Certbot will proceed to ask for your consent in using your email to send you notifications about latest developments in EFF. Here, you can choose to opt in or opt out, to opt in , type Y (Yes) and hit Enter. To decline participation hit N (No).

Share Email with EFF

Share Email with EFF

Certbot will then contact Let’s encrypt, download the SSL certificate and deploy it to the Nginx server block that you already created.

Install SSL Certificate on Nginx Domain

Install SSL Certificate on Nginx Domain

In the next section,  Type 2 to redirect the usual HTTP traffic to HTTPS.

Redirect HTTP to HTTPS on Domain

Redirect HTTP to HTTPS on Domain

The certificate will be deployed to your Nginx Server and you will receive a congratulatory notification to confirm that your web server is now encrypted using Let’s Encrypt SSL.

Enabled Let's Encrypt SSL Certificate on Domain

Enabled Let’s Encrypt SSL Certificate on Domain

Step 5: Verify HTTPS on Nginx Website

To verify the changes via a web browser, refresh your browser tab and be sure to notice the padlock symbol.

Check SSL Certificate on Website

Check SSL Certificate on Website

Click on the padlock icon and select ‘Certificate’ option to view SSL certificate details.

Verify HTTPS on Website

Verify HTTPS on Website

All the certificate details will be displayed.

Check SSL Certificate Issuer

Check SSL Certificate Issuer

You can further verify the status of your web server by testing your site’s URL at https://www.ssllabs.com/ssltest/. If  the web server is encrypted using an SSL certificate, you will get an A score as shown.

Test SSL Certificate of Website

Test SSL Certificate of Website

Conclusion

We have come to the end of this tutorial. In guide, you learnt how to install a free SSL certificate for Nginx on Debian 10.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

James Kiarie

This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

5 Responses

  1. Alexey says:

    Thanks a lot for the article.

    How to upgrade automatically certificate every three months on the schedule? How to write correctly a script?

  2. Shavkat says:

    Great article. Just a simple typo here “The certificate will be deployed to your Nginx Server and you will receive a congratulatory notification to confirm that your web server is not encrypted using Let’s Encrypt SSL.” should be ‘web server is NOW encrypted’.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.