How to install free SSl at Ngnix in Ubuntu 16.04/18.04


  1. Step – Prerequisites.

Before Installing SSL certificate at Ngnix first make sure that your DNS is configured properly. All DNS record is mention in configuration file of DNS and your Domain name and IP address should be reachable. Also make sure that your Domain is pointed at your server IP address.

Domain Points to your IP address-

For pointing your domain on server IP address you have to create CAA record for you domain. CAA record allows encryption to issues certificate for your domain.


Suppose is your domain name and you have to create SSL certificate for you domain then you have to mention this record as a CAA record. IN CAA 0 issue “”

You can also add iodef record to make encrypt report for malicious certificate issues request.  IN CAA 0 iodef  “mailto:[email protected]
  1. Step – Setup Ngnix Virtual Host

Now for setup or configuration of Ngnix HTTP server for let’s encrypt tool to configure the certificate.

For Installing  Ngnix http server use this command-


sudo apt update

sudo apt install ngnix

After installing Ngnix next you have to create virtual host for your website configuration and you have to make sure also that it contain only those domain name that you want to create free SSL/TLS certificate.

sudo nano /etc/ngnix/sites-avaiblable/

 In this file your domain name should highlighted

Server {

listen 80;

listen[::] : 80;


root  /var/www/html/;

index  index.php  index.html index.html;

server name


client_max_body_size 100M;


location   /    {


try_files $uri  $uri/  /index.php?$args;


Location ~ \.php$ {

Include snippets/fastcgi-php.conf;

fastcgi_pass unix:/var/run/php/php 7.2-fpm.sock;

fastcgi_param SCRIPT_FILENAME $documen_root$fastcgi_script_name;

include fastcgi_params;



  1. Step – Installing Ngnix client
Sudo apt-get install python-certbot-ngnix


If  python-certbot-ngnix not already install then you have to install PPA repository and install the packages.

Sudo add-apt-repository ppa:certbot/certbot

Sudo apt-get update

Sudo apt-get install python-certbot-nginx


After running this command you get output like this——

Sudo certbot –ngnix –agree-tos –email   [email protected]  --redirect  --hsts  -d –d

SSL client should install and the cert  and configure your website to redirect all traffic over HTTPS.

Congratulations! You have successfully enabled and

You should test your configuration at:


- Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


Your cert will expire on 2018-02-24. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew *all* of

your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:

Donating to EFF:          

Let’s encrypt can automatically add these highlighted code block file to the Ngnix site configuration file. Your site is ready to be used over HTTPS

server {

listen 80;

listen [::]:80;

root /var/www/html/;

index  index.php index.html index.htm;


client_max_body_size 100M;

location / {

try_files $uri $uri/ /index.php?$args;


location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;


listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

if ($scheme != "https") {

return 301 https://$host$request_uri;


# managed by Certbot

# Redirect non-https traffic to https

# if ($scheme != "https") {

#     return 301 https://$host$request_uri;

# } # managed by Certbot



Now your setup is done. To test the renewal process

Sudo certbot renew –dry-run

     Now you can add cronjob to renewal Process

Sudo crontab   -e


Enter this line in cron job configuration file

0          1          *          *          *          /usr/bin/certbot  renew & >  /dev/null






Leave a Reply

Your email address will not be published. Required fields are marked *