Install Let’s Encrypt for Nginx on Ubuntu 18

This is just a quick note to Install Let’s Encrypt for Nginx on Ubuntu 18. Since there is a new way to automatically renew LE certs on Ubuntu 18, I quick document steps for the reference purpose.

  1. Install Let’s encrypt for Nginx: apt install -y python-certbot-nginx
  2. Issue necessary certs for your domain with LE (remember that you need to have Nginx server blocks for these domains first) : certbot --nginx -d YOUR_DOMAIN1.COM -d YOUR_DOMAIN2.COM
  3. We can check if we currently have certbot in the system timers for automatically renewal: systemctl list-timers
  4. In order to restart nginx when certs are renewed, we can simply add renewal-hook to the /etc/letsencrypt/cli.ini file as follows: renew-hook = systemctl reload nginx
    • Note 1: you can of course use certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" for your scheduled tasks / cronjobs.
    • Note 2: you can also create a bash file at /etc/letsencrypt/renewal-hooks/deploy/ to implement renewal hooks, just remember to allow it to be executable.
  5. Done 🙂

Bonus: Password protected folder

  • Install apache2-utils so that we can use the htpasswd command: apt install apache2-utils
  • Create password with htpasswd: htpasswd -c /home/MYDOMAIN/.htpasswd USERNAME
  • Add a new block to nginx configuration to protect your private folder:
    location /YOUR_FOLDER {
            autoindex on;
            auth_basic "Restricted";
            auth_basic_user_file /home/MYDOMAIN/.htpasswd;
  • Restart nginx: systemctl restart nginx

Bonus: Install Fail2Ban and use w/ SSH

  • Install it: apt-get install -y fail2ban
  • Configure a new jail at /etc/fail2ban/jail.local:
enabled = true
port = 899
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
  • Restart it: systemctl restart fail2ban

  • About NhocConan

    A super lazy guy who tries to write tech blog entries in English.He is lazy, so he can only write when he is in a good mood or when he is tired of coding.

    Leave a comment

    Your email address will not be published. Required fields are marked *