- Published on
HTTP to HTTPS, Add an SSL Certificate to your Nginx Hosted Website with Lets Encrypt
Moving away from HTTP to HTTPS not only leads to more security and trust with your users especially if your website contains forms, however it also has an impact on search rankings . We have noticed companies face a number of issues when it comes to adoption of SSL certificates and wanted to share a post to help you get setup.
Moving away from HTTP to HTTPS on your website means adding SSL/TLS encryption to your website which requires setting up an SSL certificate with a certificate authority (CA). Let's Encrypt is a great option to add SSL certificates to your website because it's free to obtain a certificate from Let's Encrypt and the vast majority of browsers in use today understand Let's Encrypt certificate. It's quickly becoming an industry standard. In addition, there are tools like certbot that help automate the issuing and renewing of certificates.
In this post we will assume that your website is running on a single instance or host pointed to, by an IP address. For example, your website could be running on an EC2 instance. We will also assume that you are using Nginx as the web server. If your website uses Apache then the steps will be similar but the packages required will be different (Need help? Book a consultation with us here)
Step 1: Update your DNS Zone file with an A record pointing to your EC2 instance
Create a DNS A Record in your DNS Zone file that points to your instance IP address. For example, let’s say your instance IP address is A.B.C.D. Then you will enter an A record as follows:
Host name Type TTL Data taggedweb.com A 1 hour A.B.C.D
Replace taggedweb.com with your domain. In this step and anywhere in the remainder of this post.
Step 2: Add and install Certbot (by Let’s Encrypt) on your instance
# For Ubuntu sudo apt-get install certbot # If you use the Python package manager pip you can run pip install certbot-nginx # Otherwise you can run apt-get install python-certbot-nginx
Step 3: Make sure your nginx configuration file for your domain is active
On Ubuntu servers, Nginx config file should reside at:
We repeat again that
taggedweb.com is a placeholder here and should be replaced by your domain name.
Step 4: Run certbot to obtain the SSL/TLS certificate for your domain
sudo certbot --nginx -d taggedweb.com
This should prompt you with a couple of questions (one of them being related to HTTPS redirects which we recommend answering yes to) and once you complete the steps it will update the Nginx configuration file for your domain automatically.
Behind the scenes
Note that, behind the scenes, as soon as you run the command, Let’s Encrypt checks that you own the domain so this step will fail if your DNS record is not set up correctly. It does so by creating a temporary token file that is served via HTTP. The Let’s Encrypt server then makes a plain old HTTP request to retrieve the token file, which verifies that the domain correctly resolves to your server on which you are running certbot. This check helps Let’s Encrypt validate that you own the domain before issuing a certificate.
Step 5: Verify your Nginx configuration file for your domain is updated
It should contain the following lines in your SSL configuration.
# RSA certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
Step 6: Visit your website website with the https scheme
In this case we'd visit,
https://taggedweb.com and verify that your SSL certificate works.
Have a more complicated setup? No worries, we have your back
If you are using a more complicated set up, want to setup an SSL cert on subdomain, or you are running into issues with some of your users with your SSL certificate being invalid then TaggedWeb offers consultations from domain experts to help you navigate through this problem. If you are using Nginx as the web server you can find a consultation here. If you are using Apache as the web server then you can book a consultation here. If you are unsure or have other issues such as fixing your certificate setup then you can reach out to us via Live Chat and a domain-expert can help you navigate through and solve your issues.