How to Set Up an SSL Certificate in Nginx: A Complete Step-by-Step Guide

Securing your website with an SSL/TLS certificate is no longer optional — it's a fundamental requirement for user trust, data protection, and search engine rankings. Google has explicitly used HTTPS as a ranking signal since 2014, and modern browsers actively warn visitors when a site lacks encryption. If you're running Nginx as your web server, this guide will walk you through everything you need to know to install, configure, and automate SSL certificate management using Certbot and Let's Encrypt.

Whether you're managing a VPS Hosting environment, a dedicated server, or a shared hosting plan, properly configured SSL is non-negotiable for any production website.

What Is an SSL Certificate and Why Does Nginx Need One?

An SSL (Secure Sockets Layer) certificate — more accurately referred to today as a TLS (Transport Layer Security) certificate — establishes an encrypted connection between your web server and a visitor's browser. This encryption ensures that sensitive data such as login credentials, payment information, and personal details cannot be intercepted by malicious third parties.

For Nginx specifically, SSL configuration involves:

• Certificate files: The public certificate chain issued by a Certificate Authority (CA)
• Private key: A cryptographically generated key stored securely on your server
• Server block directives: Nginx configuration instructions that bind the certificate to your domain

Without SSL, your site is served over HTTP, which means all traffic is transmitted in plain text. With SSL properly configured, your site uses HTTPS — encrypted, authenticated, and trusted by browsers and search engines alike.

> Pro tip: If you're evaluating hosting options, AlexHost offers SSL Certificates for domains of all types, including Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) certificates.

Prerequisites Before You Begin

Before diving into the configuration steps, make sure the following conditions are met:

• A running Nginx web server on a Linux-based system (Ubuntu 20.04/22.04 or Debian recommended)
• Root or sudo access to your server
• A registered domain name pointing to your server's IP address via DNS A records — you can register one through Domain Registration
• Open firewall ports: TCP ports 80 (HTTP) and 443 (HTTPS) must be accessible
• A non-root user with sudo privileges (best practice for server security)

You can verify that Nginx is running with:

sudo systemctl status nginx

And confirm your domain resolves correctly using:

dig yourdomain.com +short

Step 1: Install Certbot on Your Server

Certbot is the official, open-source client for Let's Encrypt — a free, automated, and widely trusted Certificate Authority. It handles the entire certificate issuance process, including domain validation and Nginx configuration updates.

Update Your Package Index

Always start by refreshing your package lists to ensure you're installing the latest available versions:

sudo apt update && sudo apt upgrade -y

Install Certbot and the Nginx Plugin

The python3-certbot-nginx plugin allows Certbot to directly read and modify your Nginx configuration files, automating much of the setup process:

sudo apt install certbot python3-certbot-nginx -y

Verify the Installation

Confirm Certbot installed successfully by checking its version:

certbot --version

You should see output similar to certbot 2.x.x.

Step 2: Allow HTTPS Traffic Through Your Firewall

If you're using UFW (Uncomplicated Firewall), you need to explicitly allow HTTPS traffic before proceeding:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw status

The Nginx Full profile allows both HTTP (port 80) and HTTPS (port 443). Removing the standalone HTTP rule ensures that once SSL is configured, you're not leaving unnecessary ports open without purpose.

Step 3: Obtain Your SSL Certificate from Let's Encrypt

With Certbot installed and your firewall configured, you can now request a certificate. The --nginx flag tells Certbot to use the Nginx plugin, which automatically handles the ACME challenge verification and updates your server configuration.

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

What Happens During This Process?

1. Domain ownership verification: Certbot temporarily modifies your Nginx configuration to serve a challenge file, proving to Let's Encrypt that you control the domain
2. Certificate issuance: Let's Encrypt issues a signed certificate valid for 90 days
3. Automatic Nginx configuration: Certbot updates your Nginx server block to use the new certificate files

Interactive Prompts

During the process, Certbot will ask for:

• An email address for urgent renewal and security notices
• Agreement to the Terms of Service
• Whether to redirect HTTP to HTTPS — always choose option 2 (Redirect) to enforce HTTPS sitewide

Your certificates will be stored in:

/etc/letsencrypt/live/yourdomain.com/

The key files are:

Step 4: Manually Configure Nginx for SSL (Advanced)

While Certbot automates most of the configuration, understanding the manual setup gives you full control over your SSL implementation — essential for performance tuning, security hardening, and custom deployments.

Open Your Nginx Server Block Configuration

sudo nano /etc/nginx/sites-available/yourdomain.com

If you're using the default configuration file:

sudo nano /etc/nginx/sites-available/default

Complete SSL Server Block Configuration

Replace or update your configuration with the following hardened example:

# Redirect all HTTP traffic to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

# HTTPS server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL Certificate Paths
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Recommended SSL parameters
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "no-referrer-when-downgrade";

    # Document root and index
    root /var/www/yourdomain.com/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Key Configuration Directives Explained

• ssl_protocols TLSv1.2 TLSv1.3: Disables older, vulnerable protocols (SSLv3, TLS 1.0, TLS 1.1)
• ssl_ciphers: Specifies a strong cipher suite prioritizing forward secrecy
• ssl_stapling on: Enables OCSP stapling, reducing SSL handshake latency
• Strict-Transport-Security: Instructs browsers to always use HTTPS for your domain (HSTS)
• http2: Enables HTTP/2 for improved performance on HTTPS connections

Step 5: Test Your Nginx Configuration

Before restarting Nginx, always validate your configuration syntax to catch errors that could take your site offline:

sudo nginx -t

A successful test returns:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you encounter errors, review the output carefully — Nginx will indicate the file and line number where the problem exists.

Step 6: Restart Nginx to Apply Changes

Once the configuration test passes, reload or restart Nginx:

# Graceful reload (preferred for production — no downtime)
sudo systemctl reload nginx

# Full restart (use if reload doesn't apply all changes)
sudo systemctl restart nginx

Verify Nginx is running correctly after the restart:

sudo systemctl status nginx

Step 7: Set Up Automatic SSL Certificate Renewal

Let's Encrypt certificates expire after 90 days. This short validity period is intentional — it limits the damage from compromised certificates and encourages automation. Certbot automatically installs a systemd timer (or cron job) to handle renewals, but you should verify and test it.

Check the Existing Renewal Timer

sudo systemctl status certbot.timer

You should see the timer is active and scheduled to run twice daily.

Test the Renewal Process

Simulate a renewal without actually modifying any certificates:

sudo certbot renew --dry-run

Successful output will include:

Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem (success)

Add a Post-Renewal Hook to Reload Nginx

Certbot won't automatically reload Nginx after renewing certificates unless you configure a deploy hook. Create one with:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Add the following content:

#!/bin/bash
systemctl reload nginx

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

This ensures Nginx loads the fresh certificate files immediately after each successful renewal.

Step 8: Verify Your SSL Installation

After completing the setup, verify your SSL configuration using these methods:

Browser Check

Navigate to https://yourdomain.com in your browser. You should see a padlock icon in the address bar indicating a secure connection.

Online SSL Testing Tools

Use these free tools to audit your SSL configuration quality:

• SSL Labs (Qualys): https://www.ssllabs.com/ssltest/ — Provides a letter grade (aim for A or A+)
• Security Headers: https://securityheaders.com/ — Audits your HTTP security headers
• HSTS Preload: https://hstspreload.org/ — Checks HSTS preload eligibility

Command-Line Verification

# Check certificate details
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

# Check certificate expiry date
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Troubleshooting Common SSL Issues in Nginx

Choosing the Right Hosting Environment for SSL

The performance and reliability of your SSL implementation depend heavily on your hosting environment. Here's a quick overview:

• VPS Hosting: Full root access gives you complete control over Nginx configuration, SSL parameters, and certificate management — ideal for this guide
• Dedicated Servers: Maximum performance and isolation for high-traffic sites requiring enterprise-grade SSL configurations
• Shared Web Hosting: SSL is typically managed through a control panel; Certbot manual configuration may not be available
• VPS with cPanel: Simplifies SSL management through a graphical interface while retaining VPS-level control

For developers and system administrators who need full control over their SSL stack, a VPS or dedicated server is the recommended choice.

Conclusion

Setting up SSL in Nginx is a multi-step process, but each step serves a critical purpose — from encrypting traffic and verifying domain ownership to hardening your cipher configuration and automating renewals. By following this guide, you've implemented:

✅ A free, trusted SSL certificate via Let's Encrypt and Certbot

✅ A hardened Nginx SSL configuration with modern TLS protocols

✅ HTTP to HTTPS redirection for all traffic

✅ OCSP stapling for improved handshake performance

✅ HSTS and security headers for defense-in-depth

✅ Automated certificate renewal with Nginx reload hooks

A properly configured SSL certificate doesn't just protect your users — it builds trust, improves your SEO rankings, and is a baseline requirement for any professional web presence. If you're looking for reliable infrastructure to host your SSL-secured Nginx server, explore AlexHost's VPS Hosting plans, purpose-built for developers and businesses that take security seriously.