How to configure Let's Encrypt SSL in Nginx

Configuring a Let's Encrypt certificate enables HTTPS on Nginx without buying a commercial certificate, protecting logins, cookies, and API tokens from interception on untrusted networks.

Let's Encrypt issues short-lived certificates via the ACME protocol, and certbot can complete HTTP-01 validation by serving a challenge over port 80 before writing keys under /etc/letsencrypt/ and updating the correct Nginx server block.

Debian or Ubuntu commands use apt and systemd conventions, and issuance depends on working DNS plus inbound reachability on ports 80 and 443. Repeated failed requests can hit Let's Encrypt rate limits, so configuration should be tested before retries and renewal should be validated before relying on the certificate in production.

1. Confirm the domain resolves to the server IP address.

   $ getent hosts example.com
   203.0.113.10  example.com

2. Confirm Nginx serves the site over HTTP on port 80.

   $ curl -I http://example.com
   HTTP/1.1 200 OK
   Server: nginx
   Content-Type: text/html
   ##### snipped #####

   HTTP-01 validation fails when port 80 is blocked by a firewall, reverse proxy, or cloud security group.

3. Allow inbound TCP ports 80 and 443 in the firewall.

   $ sudo ufw allow 'Nginx Full'
   Rule added
   Rule added (v6)

   Use equivalent rules in nftables, iptables, or cloud firewall controls when ufw is not in use.

4. Set the HTTP server block server_name directive to the certificate hostnames.

   server {
       listen 80;
       server_name example.com www.example.com;
   
       ##### snipped #####
   }

   The certbot Nginx installer selects a server block by matching server_name, and missing names often cause issuance failures or edits to the wrong site.

5. Test the Nginx configuration for syntax errors.

   $ sudo nginx -t
   nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
   nginx: configuration file /etc/nginx/nginx.conf test is successful

6. Install certbot with the Nginx plugin.

   $ sudo apt update
   $ sudo apt install --assume-yes certbot python3-certbot-nginx

7. Obtain a certificate using certbot in Nginx mode.

   $ sudo certbot --nginx -d example.com -d www.example.com
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Requesting a certificate for example.com and www.example.com
   ##### snipped #####
   Successfully received certificate.
   Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
   Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
   ##### snipped #####
   Congratulations! You have successfully enabled HTTPS on https://example.com

   Repeated failures can trigger Let's Encrypt rate limits; use --test-cert during troubleshooting to avoid consuming production issuance quota.

8. Test the Nginx configuration after certbot changes.

   $ sudo nginx -t
   nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
   nginx: configuration file /etc/nginx/nginx.conf test is successful

9. Reload Nginx to activate the new SSL configuration.

   $ sudo systemctl reload nginx

10. Verify HTTPS responses from a client.

    $ curl -I https://example.com
    HTTP/2 200
    server: nginx
    content-type: text/html
    ##### snipped #####

11. Validate renewal with a dry run.

    $ sudo certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    ##### snipped #####
    Simulating renewal of an existing certificate for example.com and www.example.com
    ##### snipped #####
    Congratulations, all renewals succeeded.
    ##### snipped #####

    Review renewal logs in /var/log/letsencrypt/letsencrypt.log when renewals fail.

12. Confirm the scheduled renewal timer is active.

    $ sudo systemctl status certbot.timer
    ● certbot.timer - Run certbot twice daily
         Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
         Active: active (waiting)
        Trigger: ##### snipped #####
    ##### snipped #####