Install Nginx with SSL Certificate (Certbot)

This guide will teach you how to install Nginx, configure a website, and obtain a free SSL certificate with Certbot to secure your site with HTTPS.

📋 Prerequisites

A VPS server with root or sudo access
A domain name pointing to your server's IP (example: mysite.com)
Ports 80 (HTTP) and 443 (HTTPS) open in your firewall

Note: If you don't have a domain yet, you can test with the IP, but Certbot requires a domain for SSL certificates.

💡 Infrastructure Recommendation

Nginx and Certbot work perfectly on our NVMe VPS which offer exceptional disk performance for serving your websites quickly. NVMe drives ensure optimal response times for your visitors.

🚀 Step 1: Install Nginx

Update packages


Bash
sudo apt update

Install Nginx


Bash
sudo apt install nginx -y

Verify installation


Bash
1# Check that Nginx is installed
2nginx -v
3
4# Check that Nginx is running
5sudo systemctl status nginx

If everything is correct, you should see active (running).

Allow Nginx in firewall (UFW)


Bash
1# Allow HTTP (port 80)
2sudo ufw allow 'Nginx HTTP'
3
4# Allow HTTPS (port 443)
5sudo ufw allow 'Nginx HTTPS'
6
7# Check rules
8sudo ufw status

Test Nginx

Open your browser and go to:

http://your-server-ip or
http://your-domain.com

You should see the default Nginx page confirming that the installation works!

📝 Step 2: Configure your website

Create directory for your site


Bash
1# Create directory (replace mysite.com with your domain)
2sudo mkdir -p /var/www/mysite.com
3
4# Set permissions
5sudo chown -R $USER:$USER /var/www/mysite.com
6sudo chmod -R 755 /var/www/mysite.com

Create a simple HTML page


Bash
# Create index page
nano /var/www/mysite.com/index.html

Add this simple content:


HTML
1<!DOCTYPE html>
2<html lang="en">
3<head>
4    <meta charset="UTF-8">
5    <meta name="viewport" content="width=device-width, initial-scale=1.0">
6    <title>My Website</title>
7</head>
8<body>
9    <h1>Welcome to my website!</h1>
10    <p>Your website is working correctly with Nginx.</p>
11</body>
12</html>

Save with Ctrl + X, then Y, then Enter.

Create Nginx configuration


Bash
# Create configuration file
sudo nano /etc/nginx/sites-available/mysite.com

Add this configuration:


Nginx
1server {
2    listen 80;
3    listen [::]:80;
4    
5    server_name mysite.com www.mysite.com;
6    
7    root /var/www/mysite.com;
8    index index.html;
9    
10    location / {
11        try_files $uri $uri/ =404;
12    }
13}

Important: Replace mysite.com with your actual domain name in all occurrences.

Save the file.

Enable the site


Bash
1# Create symbolic link to enable the site
2sudo ln -s /etc/nginx/sites-available/mysite.com /etc/nginx/sites-enabled/
3
4# Test Nginx configuration
5sudo nginx -t

If you see syntax is ok and test is successful, you're good!

Remove default site (optional)


Bash
1# Remove default site
2sudo rm /etc/nginx/sites-enabled/default
3
4# Reload Nginx
5sudo systemctl reload nginx

Test your site

Open your browser and go to http://your-domain.com. You should see your HTML page!

🔒 Step 3: Install Certbot and obtain SSL certificate

Certbot is a tool that automatically obtains free SSL certificates from Let's Encrypt.

Install Certbot


Bash
# Install Certbot and Nginx plugin
sudo apt install certbot python3-certbot-nginx -y

Obtain SSL certificate


Bash
# Obtain SSL certificate for your domain
sudo certbot --nginx -d mysite.com -d www.mysite.com

Important: Replace mysite.com with your actual domain.

Certbot will ask you a few questions:

Email: Enter your email address (for renewal notifications)
Terms of service: Accept with A (Agree)
Share email: Choose Y (Yes) or N (No) as you prefer
Redirect HTTP to HTTPS: Choose 2 (Automatic redirect recommended)

Verify certificate


Bash
# Check that certificate was created
sudo certbot certificates

You should see your certificate listed with expiration dates.

Test your HTTPS site

Open your browser and go to https://your-domain.com.

You should see:

A green padlock 🔒 in the address bar
Your site loaded over HTTPS (secure)

Congratulations! Your site is now secured with SSL!

🔄 Step 4: Automatic certificate renewal

Let's Encrypt certificates expire after 90 days. Certbot can renew them automatically.

Test automatic renewal


Bash
# Test automatic renewal
sudo certbot renew --dry-run

If you see The dry run was successful, automatic renewal is working!

Check renewal service

Certbot automatically creates a systemd timer to renew certificates. Check it:


Bash
1# Check timer
2sudo systemctl status certbot.timer
3
4# If timer is not active, enable it
5sudo systemctl enable certbot.timer
6sudo systemctl start certbot.timer

The certificate will be automatically renewed before expiration.

📁 File structure

Here's where important files are located:

/var/www/mysite.com/          # Your website files
/etc/nginx/                   # Nginx configuration
/etc/nginx/sites-available/   # Available sites
/etc/nginx/sites-enabled/     # Active sites
/etc/letsencrypt/             # SSL certificates

✅ Final verification

Verify Nginx is working


Bash
1# Service status
2sudo systemctl status nginx
3
4# Test configuration
5sudo nginx -t

Verify SSL is working


Bash
1# View certificates
2sudo certbot certificates
3
4# Check expiration date
5sudo certbot certificates | grep "Expiry"

Test your site

Go to https://your-domain.com
Check the green padlock in the browser
Click the padlock to see certificate details

🛠️ Useful commands

Nginx management


Bash
1# Start Nginx
2sudo systemctl start nginx
3
4# Stop Nginx
5sudo systemctl stop nginx
6
7# Restart Nginx
8sudo systemctl restart nginx
9
10# Reload Nginx (without interruption)
11sudo systemctl reload nginx
12
13# Test configuration
14sudo nginx -t

SSL certificate management


Bash
1# Manually renew all certificates
2sudo certbot renew
3
4# Renew a specific certificate
5sudo certbot renew --cert-name mysite.com
6
7# View all certificates
8sudo certbot certificates
9
10# Delete a certificate
11sudo certbot delete --cert-name mysite.com

View logs


Bash
1# Nginx logs
2sudo tail -f /var/log/nginx/error.log
3sudo tail -f /var/log/nginx/access.log
4
5# Certbot logs
6sudo tail -f /var/log/letsencrypt/letsencrypt.log

🆘 Troubleshooting

Nginx won't start


Bash
1# Check configuration errors
2sudo nginx -t
3
4# View error logs
5sudo journalctl -u nginx -n 50

SSL certificate won't install

Problem: Certbot can't verify your domain.

Solutions:

Verify your domain points to the server's IP:
```
Bash
dig mysite.com
```
Verify ports 80 and 443 are open:
```
Bash
sudo ufw status
```
Verify Nginx is listening on port 80:
```
Bash
sudo netstat -tlnp | grep nginx
```
Make sure your Nginx configuration uses the correct server_name

Site won't load over HTTPS

Verify certificate exists:
```
Bash
sudo certbot certificates
```

Check Nginx configuration:


Bash
sudo nginx -t
sudo cat /etc/nginx/sites-enabled/mysite.com

Make sure firewall allows port 443:
```
Bash
sudo ufw allow 443/tcp
```

502 Bad Gateway error

This error means Nginx can't communicate with your application.


Bash
1# Check Nginx logs
2sudo tail -f /var/log/nginx/error.log
3
4# Verify your application is running
5sudo systemctl status your-application

📚 Additional resources

❓ Frequently asked questions

Q: Do I need to pay for an SSL certificate?
A: No! Certbot uses Let's Encrypt which offers free SSL certificates.

Q: Does my certificate expire?
A: Yes, after 90 days, but Certbot renews it automatically.

Q: Can I have multiple sites on the same server?
A: Yes! Create a configuration file for each site in /etc/nginx/sites-available/.

Q: How do I add a subdomain?
A: Create a new Nginx configuration and obtain a certificate with sudo certbot --nginx -d subdomain.mysite.com.

Q: What if I forgot to renew my certificate?
A: Certbot renews it automatically. You can also run sudo certbot renew manually.

Your website is now secured with HTTPS! 🚀🔒