How to Install Let’s Encrypt and Use It with Nginx on Ubuntu (Complete Guide)
Securing a website with HTTPS is no longer optional. Browsers warn users about insecure sites, search engines favor HTTPS, and modern security standards assume encryption by default. Thankfully, Let’s Encrypt makes it possible to get free, trusted SSL certificates, and Nginx integrates with it very well on Ubuntu.
In this article, we’ll walk through installing Let’s Encrypt on Ubuntu and configuring it with Nginx, step by step. This guide is written in a practical, human way, focusing on real-world usage—not just commands. We’ll also cover certificate renewal, firewall rules, permissions, and common problems you’re likely to encounter.
We’ll use infrarunbook.com as the example domain throughout.
What Is Let’s Encrypt (And Why You Should Use It)
Let’s Encrypt is a free, automated Certificate Authority (CA) that provides SSL/TLS certificates trusted by all major browsers. It removes cost and complexity from HTTPS adoption.
With Let’s Encrypt:
- Certificates are free
- Browsers trust them automatically
- Renewal is automated
- Setup is fast and production-ready
For most websites, there is no reason not to use Let’s Encrypt.
Before You Start: Prerequisites Checklist
Before installing Let’s Encrypt, make sure the following are already in place:
- ✅ Ubuntu server (20.04 / 22.04 recommended)
- ✅ Nginx installed and running
- ✅ Website accessible over HTTP
- ✅ Domain name pointing to your server IP
- ✅ Ports 80 and 443 open in firewall
If Nginx is not installed yet, complete that first:
👉 https://infrarunbook.com/article/how-to-install-nginx-on-ubuntu-2204-complete-step-by-step-guide
Only continue once your site works over HTTP.
How Let’s Encrypt Works (Quick Understanding)
Let’s Encrypt verifies that:
- You control the domain
- The domain resolves to your server
- Nginx can serve validation files
Once verified, it issues a certificate that:
- Is valid for 90 days
- Can be auto-renewed
- Is trusted by browsers
On Ubuntu + Nginx, this is handled by a tool called Certbot.
Step 1: Update the System
Always start with an updated package index:
sudo apt update
This avoids dependency and compatibility issues.
Step 2: Install Certbot and Nginx Plugin
Ubuntu provides Certbot via official repositories.
Install Certbot with the Nginx plugin:
sudo apt install certbot python3-certbot-nginx -y
This plugin allows Certbot to:
- Automatically detect Nginx configs
- Modify server blocks safely
- Reload Nginx when needed
Step 3: Confirm Firewall Allows HTTPS
If HTTPS traffic is blocked, certificate validation may fail.
Check firewall status:
sudo ufw status
If needed, allow Nginx traffic:
sudo ufw allow 'Nginx Full'
This opens both 80 and 443.
Step 4: Verify Nginx Server Block Is Correct
Your site config should already exist:
/etc/nginx/sites-available/infrarunbook.com
At minimum, your HTTP block should look like this:
server {
listen 80;
server_name infrarunbook.com www.infrarunbook.com;
root /var/www/infrarunbook.com/public_html;
index index.html;
}
Make sure:
server_name
matches your domain- Site is enabled
- HTTP works in browser
Certbot depends on this.
Step 5: Obtain SSL Certificate Using Certbot
Now comes the main step.
Run:
sudo certbot --nginx -d infrarunbook.com -d www.infrarunbook.com
Certbot will:
- Ask for an email address
- Ask to agree to terms
- Ask whether to redirect HTTP → HTTPS
- Validate domain ownership
- Install certificates
- Reload Nginx
When Asked About Redirect
Choose:
2: Redirect
This automatically sets up HTTP → HTTPS redirection.
Step 6: Verify SSL Certificate Installation
After Certbot completes, check:
sudo nginx -t
sudo systemctl reload nginx
Open your browser and visit:
https://infrarunbook.com
You should see:
- 🔒 Lock icon
- No certificate warnings
- HTTPS enforced
Step 7: Understand Where Certificates Are Stored
Let’s Encrypt stores certificates here:
/etc/letsencrypt/live/infrarunbook.com/
Key files:
fullchain.pem
→ Certificate + chainprivkey.pem
→ Private key (keep secure)
⚠️ Never change permissions on private key files manually.
Step 8: Check Nginx SSL Configuration
Certbot automatically updates your config.
Your HTTPS block will look similar to:
server {
listen 443 ssl;
server_name infrarunbook.com www.infrarunbook.com;
ssl_certificate /etc/letsencrypt/live/infrarunbook.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/infrarunbook.com/privkey.pem;
root /var/www/infrarunbook.com/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
This is a clean and correct setup.
Step 9: Test Certificate from Command Line
Use
curl:
curl -I https://infrarunbook.com
You should see:
HTTP/2 200
No SSL errors.
Step 10: Enable Auto-Renewal (Very Important)
Let’s Encrypt certificates expire every 90 days.
Certbot sets up a system timer automatically.
Check it:
systemctl list-timers | grep certbot
Test renewal manually:
sudo certbot renew --dry-run
If this succeeds, renewal will work automatically.
Common Problems and Troubleshooting
Let’s cover real issues admins face.
Problem 1: Certbot Fails Domain Validation
Causes
- DNS not pointing to server
- Port 80 blocked
- Wrong
server_name
Fix
Verify DNS:
dig infrarunbook.com- Open port 80
- Ensure correct Nginx config
Problem 2: HTTPS Works but HTTP Doesn’t Redirect
Cause
- Redirect option skipped
- Old server block still active
Fix
- Add explicit HTTP → HTTPS redirect
- Reload Nginx
Problem 3: SSL Certificate Expired
Cause
- Auto-renewal failed
- Server down during renewal
Fix
sudo certbot renew
Check logs:
/var/log/letsencrypt/letsencrypt.log
Problem 4: Permission Errors After SSL
Cause
- Incorrect website file permissions
- Manual changes after setup
Fix
sudo chown -R www-data:www-data /var/www/infrarunbook.com
sudo find /var/www/infrarunbook.com -type d -exec chmod 755 {} \;
sudo find /var/www/infrarunbook.com -type f -exec chmod 644 {} \;
Firewall & SSL (Often Overlooked)
Ensure:
- Port 80 → open (for renewal)
- Port 443 → open (for HTTPS)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Best Practices When Using Let’s Encrypt with Nginx
- Always test config before reload
- Monitor certificate expiry
- Keep port 80 open (even if redirecting)
- Do not manually edit cert files
- Use strong permissions
- Combine with HSTS only after testing
Final Thoughts
Installing Let’s Encrypt with Nginx on Ubuntu is one of the best security upgrades you can make to a website. It’s free, trusted, and easy to automate. When done properly, HTTPS becomes invisible to users—but invaluable for security and SEO.
For infrarunbook.com, this setup forms the foundation for:
- HTTP → HTTPS redirection
- HSTS
- Secure cookies
- Modern browser compatibility