Introduction

Setting up Nginx on Ubuntu (18+) with Let’s Encrypt SSL ensures that your website or application is secure and accessible over HTTPS, providing a safe browsing experience for your users. This process not only includes the installation of the Nginx web server but also entails configuring the server to handle SSL certificates issued by Let’s Encrypt, enabling automatic renewal of these certificates to maintain uninterrupted security. By following best practices for security and performance, you can optimize your server’s settings to ensure fast loading times and reliable uptime, which are crucial for retaining visitors and improving search engine rankings. Additionally, implementing SSL helps to build trust with your audience, as it demonstrates a commitment to protecting their data and enhancing their online safety.

In this guide, we will:

• Install and configure Nginx.
• Set up port forwarding for your Node.js application.
• Obtain a free SSL certificate from Let’s Encrypt.
• Ensure proper firewall and AWS security group settings.
• Troubleshoot common issues.

Let’s get into it…

Step 1: Install Nginx

First, update your package list and install Nginx:

sudo apt update -y
sudo apt install nginx -y

After installation, check if Nginx is running:

sudo systemctl status nginx

If it is not running, start it with:

sudo systemctl start nginx

Enable auto-start on system boot:

sudo systemctl enable nginx

Step 2: Configure Firewall and Open Ports

Enable UFW (Uncomplicated Firewall) and allow necessary ports:

sudo ufw allow 'Nginx Full'
sudo ufw allow 9000:9001/tcp
sudo ufw allow 9443:9444/tcp
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp
sudo ufw enable

If you’re using AWS, ensure that your EC2 security group allows incoming traffic on the following ports:

• TCP 80 (HTTP)
• TCP 443 (HTTPS)
• TCP 9000-9001
• TCP 9443-9444

Btw, feel free to change these ports to anything else you need in your application.

Step 3: Install Certbot for Let’s Encrypt SSL

Let’s Encrypt provides free SSL certificates. To install Certbot, run:

sudo apt install certbot python3-certbot-nginx -y

Step 4: Configure Nginx for Reverse Proxy and SSL

Edit the default Nginx configuration file:

sudo vi /etc/nginx/sites-available/default

Replace its contents with the following. Make sure to replace ‘yourdomain.com’ with the domain you are using. You can (also) get a certificate that will be valid to all the subdomains under your domain.

server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://localhost:3000; // or any other port that your app is using locally
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Save and exit (CTRL+X, then Y and Enter).

Step 5: Obtain a Let’s Encrypt SSL Certificate

Replace yourdomain.com with your actual domain and request an SSL certificate:

sudo certbot --nginx -d yourdomain.com

Follow the prompts to complete the process.
If successful, Certbot will automatically configure SSL for Nginx.

Step 6: Enable Automatic SSL Renewal

Let’s Encrypt certificates expire every 90 days.
To enable auto-renewal, use:

sudo systemctl enable certbot.timer

Test the renewal process:

sudo certbot renew --dry-run

You can use: less /var/log/letsencrypt/letsencrypt.log to make sure you understand what is going on with ‘letsencrypt black magic’

Step 7: Restart Nginx and Verify Configuration

Test the Nginx configuration:

sudo nginx -t

If there are no errors, restart Nginx:

sudo systemctl restart nginx

Verify that the SSL certificate is correctly installed:

curl -I https://yourdomain.com

You should receive a 200 OK or 301 Moved Permanently response depend on the port you are using.

Troubleshooting: SSL Certificate Not Found

If you get an error like:

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/your_domain/fullchain.pem": No such file or directory

Try the following:

1. Check if the certificate exists: sudo ls -l /etc/letsencrypt/live/ If your domain is missing, reissue the certificate:
2. Reissue the certificate: sudo certbot --nginx -d yourdomain.com
   
3. Ensure you are using a domain, not an IP:
   Let’s Encrypt does not issue certificates for IP addresses.
   If using an IP (only in pure dev mode!), you need a self-signed certificate:
   sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/nginx-selfsigned.key \ -out /etc/ssl/certs/nginx-selfsigned.crt \ -subj "/CN=your_public_ip"
   
4. Update Nginx to use the self-signed certificate: ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
   
5. Restart Nginx: sudo systemctl restart nginx

Conclusion

You have successfully set up Nginx on Ubuntu with:

✅ Reverse proxy for a Node.js application

✅ Let’s Encrypt SSL encryption

✅ Port forwarding

✅ Auto-renewal for SSL certificates

✅ Firewall & AWS security group configurations

This setup ensures a secure and efficient deployment.
Be strong.