🌐 Install Nginx with SSL Certificate (Certbot)

This guide will teach you how to install Nginx, configure a website, and obtain a free SSL certificate with Certbot to secure your site with HTTPS.

📋 Prerequisites

• A VPS server with root or sudo access
• A domain name pointing to your server's IP (example: mysite.com)
• Ports 80 (HTTP) and 443 (HTTPS) open in your firewall

💡 Infrastructure Recommendation

Nginx and Certbot work perfectly on our NVMe VPS which offer exceptional disk performance for serving your websites quickly. NVMe drives ensure optimal response times for your visitors.

🚀 Step 1: Install Nginx

Update packages

sudo apt update

Install Nginx

sudo apt install nginx -y

Verify installation

# Check that Nginx is installed
nginx -v

# Check that Nginx is running
sudo systemctl status nginx

If everything is correct, you should see active (running).

Allow Nginx in firewall (UFW)

# Allow HTTP (port 80)
sudo ufw allow 'Nginx HTTP'

# Allow HTTPS (port 443)
sudo ufw allow 'Nginx HTTPS'

# Check rules
sudo ufw status

Test Nginx

Open your browser and go to:

• http://your-server-ip or
• http://your-domain.com

You should see the default Nginx page confirming that the installation works!

📝 Step 2: Configure your website

Create directory for your site

# Create directory (replace mysite.com with your domain)
sudo mkdir -p /var/www/mysite.com

# Set permissions
sudo chown -R $USER:$USER /var/www/mysite.com
sudo chmod -R 755 /var/www/mysite.com

Create a simple HTML page

# Create index page
nano /var/www/mysite.com/index.html

Add this simple content:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>My Website</title>
</head>
<body>
    <h1>Welcome to my website!</h1>
    <p>Your website is working correctly with Nginx.</p>
</body>
</html>

Save with Ctrl + X, then Y, then Enter.

Create Nginx configuration

# Create configuration file
sudo nano /etc/nginx/sites-available/mysite.com

Add this configuration:

server {
    listen 80;
    listen [::]:80;
    
    server_name mysite.com www.mysite.com;
    
    root /var/www/mysite.com;
    index index.html;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Save the file.

Enable the site

# Create symbolic link to enable the site
sudo ln -s /etc/nginx/sites-available/mysite.com /etc/nginx/sites-enabled/

# Test Nginx configuration
sudo nginx -t

If you see syntax is ok and test is successful, you're good!

Remove default site (optional)

# Remove default site
sudo rm /etc/nginx/sites-enabled/default

# Reload Nginx
sudo systemctl reload nginx

Test your site

Open your browser and go to http://your-domain.com. You should see your HTML page!

🔒 Step 3: Install Certbot and obtain SSL certificate

Certbot is a tool that automatically obtains free SSL certificates from Let's Encrypt.

Install Certbot

# Install Certbot and Nginx plugin
sudo apt install certbot python3-certbot-nginx -y

Obtain SSL certificate

# Obtain SSL certificate for your domain
sudo certbot --nginx -d mysite.com -d www.mysite.com

Certbot will ask you a few questions:

1. Email: Enter your email address (for renewal notifications)
2. Terms of service: Accept with A (Agree)
3. Share email: Choose Y (Yes) or N (No) as you prefer
4. Redirect HTTP to HTTPS: Choose 2 (Automatic redirect recommended)

Verify certificate

# Check that certificate was created
sudo certbot certificates

You should see your certificate listed with expiration dates.

Test your HTTPS site

Open your browser and go to https://your-domain.com.

You should see:

• A green padlock 🔒 in the address bar
• Your site loaded over HTTPS (secure)

Congratulations! Your site is now secured with SSL!

🔄 Step 4: Automatic certificate renewal

Let's Encrypt certificates expire after 90 days. Certbot can renew them automatically.

Test automatic renewal

# Test automatic renewal
sudo certbot renew --dry-run

If you see The dry run was successful, automatic renewal is working!

Check renewal service

Certbot automatically creates a systemd timer to renew certificates. Check it:

# Check timer
sudo systemctl status certbot.timer

# If timer is not active, enable it
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

The certificate will be automatically renewed before expiration.

📁 File structure

Here's where important files are located:

/var/www/mysite.com/          # Your website files
/etc/nginx/                   # Nginx configuration
/etc/nginx/sites-available/   # Available sites
/etc/nginx/sites-enabled/     # Active sites
/etc/letsencrypt/             # SSL certificates

✅ Final verification

Verify Nginx is working

# Service status
sudo systemctl status nginx

# Test configuration
sudo nginx -t

Verify SSL is working

# View certificates
sudo certbot certificates

# Check expiration date
sudo certbot certificates | grep "Expiry"

Test your site

• Go to https://your-domain.com
• Check the green padlock in the browser
• Click the padlock to see certificate details

🛠️ Useful commands

Nginx management

# Start Nginx
sudo systemctl start nginx

# Stop Nginx
sudo systemctl stop nginx

# Restart Nginx
sudo systemctl restart nginx

# Reload Nginx (without interruption)
sudo systemctl reload nginx

# Test configuration
sudo nginx -t

SSL certificate management

# Manually renew all certificates
sudo certbot renew

# Renew a specific certificate
sudo certbot renew --cert-name mysite.com

# View all certificates
sudo certbot certificates

# Delete a certificate
sudo certbot delete --cert-name mysite.com

View logs

# Nginx logs
sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log

# Certbot logs
sudo tail -f /var/log/letsencrypt/letsencrypt.log

🆘 Troubleshooting

Nginx won't start

# Check configuration errors
sudo nginx -t

# View error logs
sudo journalctl -u nginx -n 50

SSL certificate won't install

Problem: Certbot can't verify your domain.

Solutions:

1. Verify your domain points to the server's IP:

   dig mysite.com

2. Verify ports 80 and 443 are open:

   sudo ufw status

3. Verify Nginx is listening on port 80:

   sudo netstat -tlnp | grep nginx

4. Make sure your Nginx configuration uses the correct server_name

Site won't load over HTTPS

1. Verify certificate exists:

   sudo certbot certificates

2. Check Nginx configuration:

   sudo nginx -t
   sudo cat /etc/nginx/sites-enabled/mysite.com

3. Make sure firewall allows port 443:

   sudo ufw allow 443/tcp

502 Bad Gateway error

This error means Nginx can't communicate with your application.

# Check Nginx logs
sudo tail -f /var/log/nginx/error.log

# Verify your application is running
sudo systemctl status your-application

📚 Additional resources

• Official Nginx documentation
• Certbot documentation
• Let's Encrypt
• Infrawire support

❓ Frequently asked questions

Q: Do I need to pay for an SSL certificate?
A: No! Certbot uses Let's Encrypt which offers free SSL certificates.

Q: Does my certificate expire?
A: Yes, after 90 days, but Certbot renews it automatically.

Q: Can I have multiple sites on the same server?
A: Yes! Create a configuration file for each site in /etc/nginx/sites-available/.

Q: How do I add a subdomain?
A: Create a new Nginx configuration and obtain a certificate with sudo certbot --nginx -d subdomain.mysite.com.

Q: What if I forgot to renew my certificate?
A: Certbot renews it automatically. You can also run sudo certbot renew manually.

---

Your website is now secured with HTTPS! 🚀🔒