Set up letsencrypt for Nginx using certbot on Ubuntu 20.04

Certbot module for nginx was updated Yesterday to support Ubuntu 20.04. So, I decided to post an update. Let's go through the extremely simple process of obtaining letsencrypt SSL certificate for your Shiny new ubuntu 20.04 server running nginx webserver using EFF certbot.

First thing first, Let's install the damn thing:

sudo apt install software-properties-common
sudo add-apt-repository universe

WARNING: This tutorial assumes that your domain points directly to your server through the means of an A Record and is not being proxied through a service like cloudflare. If you're using cloudflare, This process will not work for you.

sudo apt install certbot python3-certbot-nginx

Once it's installed, You'll have to enter a single command to get certificate for your domain. You can get certificate issued for multiple domains in this same command or separately by repeating the command with different -d parameter.

sudo certbot --nginx -d example.com -d www.example.com

Don't forget to replace example.com with your own domain. You can get certificate for subdomains as long as they are pointing to the same server. Additionally, if you host another domain example2.net you can add -d example2.net as a parameter e.g.

sudo certbot --nginx -d example.com -d www.example.com -d example2.com -d someotherexample.com

This will immediately generate a certificate and install into your relevant nginx configuration block. You will be asked to make some choices (e.g. redirect/no redirect) you can make choices as per your requirement and the process will deploy the certificate. You can go to your website and it will load over https:// now.

Certbot now automatically installs the required cron jobs to ensure that the certificate is renewed automatically, You can test the process occasionally through

sudo certbot renew --dry-run

This ensures that in case there is some change to your configuration that'll cause the ssl certificate no not renew, it'll alert you of the same. It should say no renewal pending if your certificate was just generated or recently renewed. In general the script attempts to renew your certificate every night and successfully renews it around 4 weeks before expiry unless something else is causing it to fail.

I hope this article proves helpful to you. In case you get stuck or need to sort something, I'll be happy to assist you. leave a comment over at my forum discuss.tekduke.com and I'll be happy to help.