SSL Configuration
Configure HTTPS for your Nginx websites using Let's Encrypt certificates.
Prerequisites
1. Domain Name
- Must point to your server's IP address
- DNS propagation completed
2. Nginx Server Block
- Server block already configured
- ServerName matches your domain
Let's Encrypt SSL (Recommended)
- Debian/Ubuntu
- CentOS
Manual SSL Configuration
1. Generate Private Key
sudo openssl genrsa -out /etc/ssl/private/example.com.key 2048
2. Generate Certificate Signing Request
sudo openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.csr
3. Generate Self-Signed Certificate (for testing)
sudo openssl x509 -req -days 365 -in /etc/ssl/certs/example.com.csr -signkey /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt
4. Configure Server Block for SSL
- Debian/Ubuntu
- CentOS
sudo nano /etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
root /var/www/example.com;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_log /var/log/nginx/example.com_error.log;
access_log /var/log/nginx/example.com_access.log;
}
sudo nano /etc/nginx/conf.d/example.com.conf
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
root /var/www/html/example.com;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_log /var/log/nginx/example.com_error.log;
access_log /var/log/nginx/example.com_access.log;
}
5. Enable Site and Test
- Debian/Ubuntu
- CentOS
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
sudo nginx -t
sudo systemctl restart nginx
SSL Renewal
Let's Encrypt Auto-Renewal
# Test renewal
sudo certbot renew --dry-run
# Manual renewal
sudo certbot renew
Manual Certificate Renewal
# Generate new certificate
sudo openssl x509 -req -days 365 -in /etc/ssl/certs/example.com.csr -signkey /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt
# Reload Nginx
sudo systemctl reload nginx
Force HTTPS Redirect
- Debian/Ubuntu
- CentOS
sudo nano /etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
sudo nano /etc/nginx/conf.d/example.com.conf
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
Quick Commands
| Task | Command |
|---|---|
| Check SSL status | sudo certbot certificates |
| Test renewal | sudo certbot renew --dry-run |
| Manual renewal | sudo certbot renew |
| Delete certificate | sudo certbot delete --cert-name example.com |
| Check Nginx SSL | sudo nginx -t |
Note: Let's Encrypt certificates expire after 90 days. Auto-renewal is essential.