Mục đích chúng ta sử dụng NGINX để cài đặt SSL cho các domain, port của nó. Nó giúp cho việc thiết lập SSL nhanh hơn thay vì cài đặt nó trên ứng dụng.

Chúng ta cũng có thể gia hạn file chứng chỉ dễ dàng.

Cách cài đặt NGINX, bạn xem lại link bài:



How Let’s Encrypt Works

Before issuing a certificate, Let’s Encrypt validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client.



Before starting with Let’s Encrypt, you need to:

·       Create a DNS record that associates your domain name and your server’s public IP address.


Obtain the SSL/TLS Certificate. The NGINX plug‑in for certbot takes care of reconfiguring NGINX and reloading its configuration whenever necessary.

1.     Run the following command to generate certificates with the NGINX plug‑in:

$ sudo certbot --nginx -d example.com -d www.example.com

Or use:

$ sudo certbot --nginx

(example  at another domain)

2.     Respond to prompts from certbot to configure your HTTPS settings, which involves entering your email address and agreeing to the Let’s Encrypt terms of service. When certificate generation completes, NGINX reloads with the new settings. certbot generates a message indicating that certificate generation was successful and specifying the location of the certificate on your server.

3.     Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


Note: Let’s Encrypt certificates expire after 90 days (on 2017-12-12 in the example). For information about automatically renenwing certificates, see Automatic Renewal of Let’s Encrypt Certificates below.

Looking at [domain-name.conf], you should modified it:

server {

    listen 80 default_server;

    listen [::]:80 default_server;

    root /var/www/html;

    server_name  example.com www.example.com;

    listen 443 ssl; # managed by Certbot

    # RSA certificate

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot

    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

        ssl on;

        ssl_session_cache  builtin:1000  shared:SSL:10m;

        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/reverse-access-jr.log;

        error_log /var/log/nginx/reverse-error-jr.log;

        location / {

            proxy_set_header        Host $host;

            proxy_set_header        X-Real-IP $remote_addr;

            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header        X-Forwarded-Proto $scheme;

            proxy_pass http://localhost:8029;

            proxy_read_timeout 90;



4.      Save file.

5.     Automatically Renew Let’s Encrypt Certificates

Let’s Encrypt certificates expire after 90 days. We encourage you to renew your certificates automatically. Here we add a cron job to an existing crontab file to do this.

Open the crontab file.

$ crontab -e

Add the certbot command to run daily. In this example, we run the command every day at noon. The command checks to see if the certificate on the server will expire within the next 30 days, and renews it if so. The –quiet directive tells certbot not to generate output.

0 12 * * * /usr/bin/certbot renew --quiet

Save and close the file. All installed certificates will be automatically renewed and reloaded.

6.     Congratulations! You have successfully enabled https://example.com and https://www.example.com

7.     Restart nginx.

8.     Done.

 5 Summary

We’ve installed the Let’s Encrypt agent to generate SSL/TLS certificates for a registered domain name. We’ve configured NGINX to use the certificates and set up automatic certificate renewals.

Part 2: Using Let’s Encrypt TLS/ SSL certifications with NGINX in Ubuntu 
Tagged on:                 

Leave a Reply

Your email address will not be published. Required fields are marked *