Securing Your Nginx Website with Free SSL Certificates

Have you been meaning to add HTTPS encryption to your Nginx website but unsure where to start? Well friend, you‘ve come to the right place!

Content Navigation show

In this comprehensive guide, I‘ll be walking you through the full process of enabling HTTPS on Nginx using free SSL/TLS certificates from the awesome Let‘s Encrypt certificate authority.

Why HTTPS Matters

Before diving into the technical details, I want to emphasize why securing your website with HTTPS is so important:

  1. Data Security – Encrypting connections prevents man-in-the-middle attacks that can compromise sensitive user data.

  2. Trust & Conversion Rates – The browser padlock signals safety to your visitors increasing sales.

  3. SEO Rankings – Google now uses "HTTPS" as a positive signal for search engine results page rankings.

Let me throw some real data behind this as well:

  • Sites loaded over HTTPS can achieve over 20% higher conversion rates compared to HTTP according to Google analytics research.

  • Websites failing to use secure HTTPS connections risk losing up to 21% visibility in Google searches according to Moz‘s Correlation Data.

It‘s clear that making the move to HTTPS is not merely an optional step anymore for websites both big and small. The costs of ignoring SSL nowadays vastly outweigh the benefits.

Hopefully I‘ve convinced you on the importance of enabling HTTPS! Now let‘s talk about how you can activate it on your Nginx powered site.

Prerequisite Checklist

Before we can dive into securely configuring Nginx, it‘s key we have a compatible environment in place first.

Here‘s what you‘ll need:

Supported Server Infrastructure

Make sure Nginx is already installed and serving traffic successfully. Most mainstream Linux distros work here – including Ubuntu, Debian, CentOS, etc. Nginx compiles easily from source as well.

Own and Control Domain Name

You must own or control the domain names that will use the SSL certificate. Most signing authorities require proving domain ownership before issuing certificates.

Root Access to Server

We will need filesystem read/write access to install certificates and modify Nginx‘s configuration files. Having a root or sudo privileged shell session is key.

Assuming those requirements are met, you now have the foundation to add Let‘s Encrypt generated SSL to your site. Now let‘s explore two paths for making it happen:

Option 1: Automating via Certbot (Recommended)

The easiest approach is using EFF‘s Certbot tool to automate certificate generation and configuration of HTTPS on Nginx.

Here is an overview of the process when using Certbot:

  1. Install Certbot‘s Nginx plugin to your server
  2. Run Certbot and specify the domain names needing certificates
  3. Certbot automatically contacts Let‘s Encrypt CA to request SSL/TLS certificates
  4. Received certificates are enabled on Nginx and set to auto-renew

See what I mean about easy? Certbot eliminates most of the manual work involved with creating and installing certificates. It also adds helpful hardening like enforced redirects.

On your server, you kick things off by installing Certbot‘s dependencies and Nginx plug-in:

$ sudo apt update
$ sudo apt install certbot python3-certbot-nginx

Now execute the nginx plugin, specifying any domains you need HTTPS for:

$ sudo certbot --nginx -d example.com -d www.example.com

After a few prompts certifying you control the domains, Certbot will automatically fetch certificates from Let‘s Encrypt and modify your /etc/nginx/conf.d/*.conf files to enable them.

It‘s as simple as that! Your site now serves all traffic over secure HTTPS by default using trusted SSL certificates.

Let me show you an example of how Certbot configures Nginx once SSL is enabled:

server {
    server_name example.com;

    location / {
        proxy_pass http://localhost:8000;    
    }

    listen 443 ssl; 
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem; 
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    }  

    server_name example.com;
    listen 80 ;
    return 404; 
}

Notice how Certbot sets up the HTTPS listeners, specifies paths to certificates/keys, and enables redirects from HTTP to enforce secure connections.

This automated approach using Certbot‘s Nginx plugin is by far the easiest path to enabling HTTPS. And the certificates even renew themselves automatically!

However, if you need more customization control, the next method may better suit your needs.

Option 2: Manual Certificate Setup

For more advanced Nginx users with highly customized configs, manually installing Let‘s Encrypt certificates allows finer grained control over the SSL integration process.

The high level steps we‘ll walk through are:

  1. Use SSLforfree to generate a free SSL/TLS certificate
  2. Prepare certificate files to work with Nginx
  3. Add listen directives and certificate references to Nginx configs
  4. Reload Nginx to activate SSL termination

Let‘s explore each phase in more depth.

Step 1: Obtain Certificates Manually

Rather than leverage Certbot for automatic issuance of Let’s Encrypt certificates, we can obtain them manually as well from other CAs.

Two great services providing free basic domain validated certificates are:

With these services, you still need to demonstrate control over the domains needed, similar to using the automated Certbot process.

Once domain ownership is validated via DNS records or an HTTP file, they will issue trusted SSL certificates with keys that work across all major browsers.

Within a few minutes you can download a ZIP archive containing files needed for Nginx:

  • Certificate (CERT) – Public key certificate
  • Private key – Secret key for certificate
  • CA certificate – Intermediate signing certificate

After downloading, secure transfer those files onto your Nginx server into a protected system path only readable by root.

Next, we‘ll get them converted into the format expected by Nginx.

Step 2: Prepare Certs for Nginx Use

Nginx expects certificate files to be PEM encoded rather than CRT/DER formats. The private key also needs tightened access permissions.

Here are the Linux commands to convert your SSLforFree issued certificates into what Nginx requires:

# mkdir -p /etc/nginx/ssl 

# chmod 700 /etc/nginx/ssl
# cp domain.key /etc/nginx/ssl/private.key
# chmod 600 /etc/nginx/ssl/private.key

# cat domain.crt ca_certificate.crt > /etc/nginx/ssl/combined.pem

We now have properly formatted key and certificate files in /etc/nginx/ssl ready to reference in the Nginx configuration.

Step 3: Configure Nginx for TLS Termination

With valid SSL certificate files in place, edit your Nginx server { } block configurations to leverage them.

Open the domain config file and add: 

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate /etc/nginx/ssl/combined.pem;
  ssl_certificate_key /etc/nginx/ssl/private.key;

  ...
}

server {
  listen 80; 
  server_name example.com; 

  return 301 https://$host$request_uri;   
}

Here we:

  • Listen for HTTPS connections on port 443
  • Specify path to SSL certificate and private key
  • Redirect all HTTP requests to HTTPS

With this configuration, Nginx will terminate SSL and proxy connections to upstream backends securely.

Step 4: Load Updated Config

Finally, have Nginx reload its configuration files to activate the new TLS settings:

# nginx -s reload

Assuming the certificate paths and server block is defined properly, your back-end application traffic is now served strictly over HTTPS!

I walk through this manual installation and configuration steps in more detail in the video below:

Video demonstrating manual Nginx SSL configuration

Now that I‘ve covered two paths towards getting HTTPS enabled for an Nginx site, let me share some next steps and additional tips when managing TLS certificates from here.

Post Deployment Recommendations

After installing certificates and redirecting connections to HTTPS, here are some addition best practices:

Test Rigorously – Verify all functionality works as expected under HTTPS and no TLS issues occur before launching to production traffic.

Automate Renewals – Let‘s Encrypt certificates have 90 day lifespans. Use auto renewals to save work down the road.

Redirect HTTP Persistently – Include permanent 301 redirects from HTTP to avoid duplicate, insecure access long term.

Enable HSTS – Indicate to clients connections must always use HTTPS to prevent interception.

Choose Modern Ciphers – Disable outdated TLS cipher suites and protocols to improve security.

Taking those extra steps beyond just enabling HTTPS goes a long way towards securely handling user data and complying with privacy regulations.

For even more enhanced security, explore enabling HTTP/2, OCSP stapling, and additional HTTP headers as well.

Wrapping Up

And there you have it! We covered a soup to nuts guide around enabling free SSL certificates for Nginx from Let‘s Encrypt using both automated and manual installation techniques.

I hope walking through both options gives you flexibility to secure sites using your preferred approach.

If you have any other questions feel free to ask in the comments section below. Thanks for following along securing your Nginx server with Let’s Encrypt and TLS!

Tags: