How-To

How to Install Let's Encrypt with NginX on Ubuntu 22.04

Alex KondratievAlex Kondratiev

5 min read

This is a step-by-step instruction on how to install Let's Encrypt SSL with Nginx on your Ubuntu 22.04. I will try to describe several useful settings that will make configuration easy and smart. I will use different commands that will be executed due to the Ubuntu version differences. Those blocks will be highlighted so pay attention to that, but almost everything should be the same.

Requirements

You need Ubuntu 22.04 server with SSH access, a registered domain name pointed to your server's IP, and a small portion of the knowledge of how to use a Linux console and execute commands on the Ubuntu server. The whole installation will take around 30 minutes.

Step 1 - Install LetsEncrypt

Before installing new soft you should always consider updating the package list in order to have your software up to date.
sudo apt-get update

Add software repository Ubuntu 22.04

shell
1sudo apt-get install software-properties-common
2sudo add-apt-repository ppa:certbot/certbot
3sudo apt-get update

Installation

For now, everything is ready to install LetsEncrypt on your server:

shell
1sudo apt-get install lets-encrypt

This command will install the lets-encrypt dummy package that includes certbot and other utilities for SSL installation.

Step 2 - Configure NginX for Let's Encrypt SSL

In my configuration examples, I will use the following domain name 'ssl.itsyndicate.org'. Do not forget to change it for your needs when you do a copy-paste. Now it's time for a small life hack that will show you how to optimize the process of adding new certificates to your server.

We will use Nginx default config to catch all requests with a non-secure connection that are going to our server aka non-ssl which will target 80 port.

shell
1server {
2listen 80 default_server;
3server_name _;
4location ~ /\.well-known/acme-challenge/ {
5allow all;
6root /var/www/letsencrypt;
7try_files $uri =404;
8break;
9}
10}

As you can see we are using  /\.well-known/acme-challenge/ directory to catch all requests for location and /var/www/letsencrypt  directory to host acme-challenges. So let's create a directory after you edited the default Nginx vhost config:

shell
1sudo mkdir -p /var/www/letsencrypt

Before applying changes to your Nginx settings always check the configuration file:

shell
1sudo nginx -t

You should get a notification that syntax is ok:

shell
1nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2nginx: configuration file /etc/nginx/nginx.conf test is successful

To apply changes to our new Nginx vhost configuration that is designed to catch all of your Let's Encrypt certificates challenges do the following:

shell
1sudo service Nginx reload

Step 3 - Request new Let's Encrypt SSL

Now it is time to request our first Let's Encrypt SSL certificate for our domain:

shell
1sudo letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -m mail@example.com --agree-tos -d ssl.itsyndicate.org

Let me describe some important options in our command:

  • --webroot-path=/var/www/letsencrypt - here we configure a directory where all requests will be stored. We configured NginX to serve this directory.
  • -m mail@example.com - with this option you are setting up your e-mail address
  • --agree-tos - this option is needed not to prepare TOS and to accept them. This is some kind of fully automated way to install Let's Encrypt SSL
  • -d ssl.itsyndicate.org - this option is used to issue SSL for the desired domain

After command execution you should see Congratulations message:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to mail@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ssl.itsyndicate.org/fullchain.pem. Your cert
will expire on 2018-08-01. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Step 4 - Configure Nginx vhost

Now we have new SSL installed to '/etc/letsencrypt/live/ssl.itsyndicate.org/'. It's time to configure our Nginx vhost to serve https requests for the desired domain. Here is my example:

shell
1server {
2server_name itsyndicate.org;
3listen 443 ssl;
4ssl on;
5ssl_certificate /etc/letsencrypt/live/ssl.itsyndicate.org/fullchain.pem;
6ssl_certificate_key /etc/letsencrypt/live/ssl.itsyndicate.org/privkey.pem;
7root /var/www/html/;
8index index.php index.html index.htm;
9location ~ /.well-known {
10root /var/www/letsencrypt;
11allow all;
12}
13}

Let's test and reload our new NginX configuration:

shell
1sudo nginx -t
2sudo service nginx reload

Step 5 - Configure Let's Encrypt SSL auto-renewal

Let's Encrypt issues certificates for 90 days. You have an opportunity to reinstall it manually when you got the email that your SSL expires soon, but I think there is a smart way to automate that. We will use daily cron on our Ubuntu server to renew our SSL certificate.

I use file '/etc/cron.daily/letsencrypt' file to setup cron with the following content:

shell
1#!/bin/bash
2/usr/bin/letsencrypt renew --renew-hook "/etc/init.d/nginx reload"

Step 6 - Test SSL configuration

When we are done with configuration it's time to take a cup of coffee and relax test our configuration. There are dozens of options to test SSL, but I will use two, the first one is curl:
curl -vI https://ssl.itsyndicate.org

shell
1* Server certificate:
2* subject: CN=ssl.itsyndicate.org
3* start date: May 3 15:44:12 2022 GMT
4* expire date: Aug 1 15:44:12 2022 GMT
5* subjectAltName: host "ssl.itsyndicate.org" matched cert's "ssl.itsyndicate.org"
6* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
7* SSL certificate verify ok.

The second option is to open your site in Google Chrome and check SSL certificate in dev tool under security tab:

test ssl

Conclusion

Now you know how to install Let's Encrypt SSL on Ubuntu 22.04 to secure your site. It is a very simple, useful, and cheap solution to protect your site and improve a bit your SEO rankings. If you have issues with installation or you want to save time - ask our technicians to maintain your server for you.

Comments, improvements, and critics are always welcome!

Alex Kondratiev

Alex Kondratiev

Founder of ITsyndicate. DevOps Enthusiast with 15+ years of experience in cloud, Infrastructure as Code, Kubernetes, and automation. Specialized in architecting secure, scalable, and resilient systems.

How to Run a Docker Container on Your Local Machine

This article is a quick, hands-on guide to running Docker locally. It walks through essential CLI commands for managing images and containers (build, pull, run, ps, start/stop, rm/rmi) and shows how to automate image creation with a Dockerfile. You’ll build an image, run a container with port mapping, verify it’s running, and learn tips for environment setup - everything needed to spin up and manage local containers efficiently.

CORS Configuration and Integration on AWS API Gateway Using Terraform

We’ll show you how to configure CORS and integrate AWS Lambda with API Gateway using Terraform, a powerful Infrastructure as Code (IaC) tool.

Connecting to Docker Host from Docker Container

Learn how to connect from a Docker container to the Docker host. This capability can be handy for development tasks such as managing other containers, performing backups, or building a simple admin interface to manage them.

Plan the present.
Build the future.