Securing site with a TLS certificate is essential. There are two main reasons:
Secure data transmission between a user’s device to SSL/TLS offloading device Improve Google search ranking
Lately, Google announced that site without https:// would be marked as “No Secure” in chrome browser. So yes, Say YES to HTTPS. If you are running a blog, personal site, non-membership, the non-financial transactional site then you may go for Let’s Encrypt certificate. Let’s Encrypt offer a FREE certificate. However, if you are accepting a financial transaction, then you may want to go for a commercial certificate. Let’s implement TLS in Nginx… I assume you already have Nginx installed and running if not refer to this installation guide. There are multiple ways to get this done.
Let’s Encrypt using Certbot
One of the easiest and recommended ways to install it. Certbot offers a drop-down menu where you can select the webserver and OS to get the instruction. I’ve selected Nginx and Ubuntu as you can see below.
And, I’ll be executing the below on the Nginx server to install the certbot plugin. Once all ok, it’s time to use a certbot plugin to install a certificate in Nginx. You can use the below command which will take care of modifying the necessary file to configure the certificate. It will check the CN (common name) in the existing Nginx configuration file, and it not found then it will prompt you to enter. Ex: Certbot automation is smart! As you can see it has taken care of all the necessary configuration to make my Nginx ready to serve over https. However, if you don’t want Certbot to modify the configuration for you, then you can just request the below command. The above command will not perform any modification instead just provide you the certificate so you can configure the way you want. But what if you can’t or don’t want to use Certbot?
Manual Procedure
There are many ways to get the cert issued by Let’s Encrypt, but one of the recommended is from SSL for Free online tool. Provide your URL and proceed with the verification method. Once verified, you will get the certificate, private key, and CA.
Download them, and transfer to Nginx server. Let’s keep them under ssl folder (create if doesn’t exist) of Nginx installation path Before proceeding with the configuration modification, you need to concatenate certificate.crt and ca_bundle.crt into a single file. Let’s name it tlscert.crt
Go to sites-available folder and add the following in respective site configuration file
Restart Nginx
Try to access the respective domain over HTTPS
So here you go, it’s a success! An alternative to Let’s Encrypt, you can also use ZeroSSL which is explained here about the implementation. Next, you may want to test your site for SSL/TLS vulnerability and fix them if found.