Update the Server
It’s recommended to upgrade the server packages before touching the SSL configuration. The following two commands update and upgrade the server packages on the Ubuntu server.
$ sudo apt-get dist-upgrade
Additionally, it’s recommended to upgrade the snapd background service to manage snap packages. Snapd has been an inbuilt service since Ubuntu 16.04.
$ sudo snap refresh core
If Snapd is not available on the Ubuntu server for some reason, use the following command to install the Snapd background service swiftly.
Configure the DNS Records
DNS Records are located in the authoritative name server and help convert a specific domain name to its respective IP address. Setting up SSL on an Nginx server requires a domain name and an IP address. After pointing the domain name to its respective IP on the DNS records, the same procedure has to be done in the configuration file of the Nginx server for the site to function correctly.
Navigate to the domain name registrar, and find the advanced DNS records section. The following screenshot shows how a typical DNS records entry looks. Use the IP address of the Nginx server in the Answer textbox, select A address record from the Type drop-down box, and type either nothing or the subdomain of the Nginx server in the Host textbox. The IP address of the host can be found through hostname -I command
Access the server with an SSH client such as Putty or Notepad++ with NppFtp plugin, and navigate to the /etc/Nginx/sites-available/default. Copy the domain name typed in the Host textbox in the previous section, and type it after the server_name directive as server_name subdomain.domain.com. If there is no subdomain, ignore the subdomain. Restart the Nginx server with the systemctl restart the Nginx command for settings to take effect.
Install the SSL/TLS
There are several ways to install an SSL certificate on an Nginx web server. The easiest and most affordable method is to use the Certbot, which makes the whole process relatively easy. It configures the Nginx configuration file automatically and provides an SSL certificate free of charge to renew any number of times. The only catch here is that the Certbot offers a letsencrypt SSL certificate, and it has to be renewed once per 3 months instead of a year as other paid options. Letsencrypt doesn’t verify the organization; hence, it’s not advisable to use it for eCommerce websites, banks, or other commercial entities. It provides zero assurance that the domain name owner is the same as the organization’s owner. However, it’s quite sufficient for a general-purpose website.
Type the following command on the SSH client to install the Certbot in the Ubuntu server.
Type the following command to make a symbolic link between the snap/bin and usr/bin. So the user doesn’t have to type the full path when calling the Certbot binary.
Finally, install the Certbot, and configure the default file of the Nginx. It will ask a series of questions. Make sure all the questions are appropriately answered. Before following this step, the site needs to be accessed with its domain name. If Configure the DNS Records section was followed by now, this should not be a problem.
Test the Certbot to ensure it renews the certificate whenever it’s necessary. The Certbot automatically sets up a cron job to renew the certificate once in a while; hence it’s not required to run it ever again, but it’s recommended to run the following command to ensure the certificate is renewed successfully.
Type the domain name in the web browser, and access it to see the website works without any problem. If a padlock icon appears before the domain name, and the site gives no error or warning when visiting it, the SSL configuration is successful.
Advanced Nginx SSL Configuration
The advanced Configuration for SSL helps tighten the security and enhance the website’s compatibility with many web browsers. However, the default settings are sufficient for any general-purpose website.
Navigate to the following website.
Select the Nginx in the Server Software option.
Select one of the options in the Mozilla Configuration. This option determines the web browser’s compatibility with the website. The modern option makes the website less compatible with most web browsers and their older versions while giving high security to the website. In contrast, the Old option provides less security and high compatibility with virtually any web browser. The intermediate option offers a good balance between security and compatibility.
- Type the Nginx server version and OpenSSL version in the Environment section. Both versions can be found with the nginx -V command.
Select HTTP Strict Transport Security and OCSP Stapling for better security and efficiency in verifying the SSL certificate.
Copy the configuration generated by the tool, and paste them into the default file of Nginx. Make sure the server_name directive is typed again as the tool doesn’t generate it. After the configuration file was updated, restart the Nginx server with the systemctl restart the nginx command.
Thanks to the Certbot and Letsencrypt nowadays, installing an SSL certificate on an Nginx web server is relatively easy. Certbot makes the whole process of installing, configuring, and renewing the SSL certificate relatively easy. After the basic configuration is completed, It’s recommended to configure the SSL with the Mozilla SSL configuration generator. It provides security and compatibility to the website.