Web Server Intermediate

Nginx SSL/TLS Auto Setup

Installs free SSL/TLS certificate with Let's Encrypt on Nginx web server and configures automatic renewal.

Published: February 15, 2024 Updated: December 05, 2024

Detailed Information

This script installs a free SSL/TLS certificate with Let's Encrypt on your Nginx web server and configures automatic renewal. HTTPS is mandatory for modern websites and is critical for SEO, security, and user trust.

What Does This Script Do?

This script fully automates the SSL/TLS certificate installation process:

  • Installs Certbot tool (if not present)
  • Creates Nginx configuration
  • Obtains free SSL certificate from Let's Encrypt
  • Configures HTTPS redirect
  • Sets up automatic certificate renewal

Why Should You Use It?

HTTPS is mandatory for modern web because:

  • Security: Provides data encryption
  • SEO: Google prefers HTTPS
  • Trust: Users see secure connection
  • Performance: HTTP/2 support
  • Requirement: Modern browsers warn about HTTP

Let's Encrypt Advantages

  • Completely free
  • Automatic renewal
  • Trusted and widely used
  • 90-day certificate validity (auto-renewed)

How to Use

Step-by-Step Usage Guide

1. Prerequisites

Before running the script:

  • Make sure your domain name points to the server's IP address
  • Make sure ports 80 and 443 are open
  • Nginx must be installed

2. DNS Check

# Check if domain points to IP
nslookup yourdomain.com
dig yourdomain.com

# A record should be correct
# A     yourdomain.com    192.168.1.100

3. Run Script

sudo ./nginx_ssl_setup.sh

The script will ask for domain name and email address.

4. Verification

After the script runs:

# Check SSL certificate
certbot certificates

# Test Nginx configuration
nginx -t

# Test certificate renewal
certbot renew --dry-run

Automatic Renewal

Let's Encrypt certificates are automatically renewed every 90 days. A cron job or systemd timer should be installed on the system:

# Check cron job
systemctl status certbot.timer

# Manual renewal
sudo certbot renew

Requirements

Requirements

  • Root Privileges: Script must be run as root
  • Nginx: Web server must be installed
  • Domain Name: Valid domain name and DNS record
  • Open Ports: Ports 80 (HTTP) and 443 (HTTPS) must be open
  • Python 3: Required for Certbot
  • Internet Connection: Access to Let's Encrypt

DNS Configuration

Your domain name must point to your server's IP address:

# DNS record example
A     yourdomain.com    192.168.1.100
A     www.yourdomain.com    192.168.1.100

Port Check

# Check if ports are open
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Or check firewall rules
sudo iptables -L -n | grep -E "80|443"

Use Cases

Use Cases

1. New Website Setup

When setting up a new website, you can use this script to quickly install SSL certificate.

2. HTTP to HTTPS Migration

You can use it to migrate your existing HTTP sites to HTTPS. The script configures automatic redirect.

3. Multi-Domain Management

If you need to install SSL certificates for multiple domains, you can run the script for each domain.

4. Test Environments

You can also use it to install SSL certificates in test environments. Let's Encrypt also works for test environments.

5. Wildcard Certificates

You can edit the script to use it for wildcard certificates (*.domain.com) as well.

Examples

Usage Examples

Example 1: Basic Usage

# Run script
sudo ./nginx_ssl_setup.sh

# Enter domain and email
Enter your domain name: example.com
Enter your email: [email protected]

# Script automatically:
# - Installs Certbot
# - Creates Nginx configuration
# - Obtains SSL certificate
# - Configures HTTPS redirect

Example 2: Wildcard Certificate

# Edit script to obtain wildcard certificate
certbot certonly --dns-cloudflare \
    -d "*.example.com" \
    -d "example.com"

Example 3: Multiple Domains

# Certificate for multiple domains
certbot --nginx \
    -d example.com \
    -d www.example.com \
    -d api.example.com \
    -d admin.example.com

Code

#!/bin/bash

# Nginx SSL/TLS Auto Setup with Let's Encrypt

if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root"
    exit 1
fi

read -p "Enter your domain name: " DOMAIN
read -p "Enter your email: " EMAIL

echo ""
echo "Setting up SSL for $DOMAIN"
echo ""

if ! command -v certbot &> /dev/null; then
    echo "Installing certbot..."
    apt-get update
    apt-get install -y certbot python3-certbot-nginx
fi

if ! systemctl is-active --quiet nginx; then
    echo "Starting nginx..."
    systemctl start nginx
fi

NGINX_CONF="/etc/nginx/sites-available/$DOMAIN"

cat > "$NGINX_CONF" <<EOF
server {
    listen 80;
    listen [::]:80;
    server_name $DOMAIN www.$DOMAIN;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host \$host;
        proxy_cache_bypass \$http_upgrade;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
}
EOF

ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx

echo "✓ Nginx configuration created"
echo ""

echo "Obtaining SSL certificate..."
certbot --nginx -d "$DOMAIN" -d "www.$DOMAIN" --non-interactive --agree-tos --email "$EMAIL" --redirect

if [ $? -eq 0 ]; then
    echo "✓ SSL certificate installed successfully"
    echo ""
    
    echo "Testing automatic renewal..."
    certbot renew --dry-run
    
    if [ $? -eq 0 ]; then
        echo "✓ Automatic renewal is configured"
    else
        echo "⚠️  Warning: Automatic renewal test failed"
    fi
else
    echo "✗ Failed to obtain SSL certificate"
    exit 1
fi

echo ""
echo "======================================"
echo "SSL Setup Complete!"
echo "======================================"
echo "Your site is now available at:"
echo "https://$DOMAIN"
echo ""
echo "Certificate will auto-renew before expiration"
echo "You can manually renew with: certbot renew"

Usage

# Run as root
sudo chmod +x nginx_ssl_setup.sh
sudo ./nginx_ssl_setup.sh

# Enter your domain and email
# Script will automatically setup SSL

Troubleshooting

Troubleshooting

Problem: "Failed to obtain certificate"

Solution: Check DNS records. Domain must point to server IP:

# DNS check
nslookup yourdomain.com
dig yourdomain.com +short

Problem: "Port 80 is already in use"

Solution: Find and stop service using port 80:

sudo netstat -tulpn | grep :80
sudo systemctl stop apache2  # If using Apache

Problem: "Nginx configuration test failed"

Solution: Check Nginx configuration:

nginx -t
# Fix errors and try again

Problem: Certificate Not Renewing

Solution: Check Certbot timer:

systemctl status certbot.timer
systemctl enable certbot.timer
systemctl start certbot.timer

Tags

nginx ssl https lets encrypt certbot

Related Scripts