How to Secure Nginx with Let’s Encrypt on Debian 12, 11 or 10

Securing your web server is a critical aspect of modern web technology. This guide focuses on how to secure Nginx with Let’s Encrypt on Debian 12 Bookworm, Debian 11 Bullseye, or Debian 10 Buster. By implementing a Let’s Encrypt certificate, you’ll enhance the security and trustworthiness of your Debian-based Nginx server.

Why Choose Let’s Encrypt for Your Debian Nginx Server

  • Cost-Effective: Let’s Encrypt offers free SSL certificates, making robust security accessible to everyone.
  • Automated Renewals: The service automates the renewal process, ensuring your SSL certificates are always current, reducing the risk of lapses in security.
  • Data Encryption: Let’s Encrypt certificates encrypt data between your server and its users, safeguarding sensitive information.
  • Broad Compatibility: These certificates are recognized by most modern web browsers, ensuring a smooth user experience.
  • Enhanced Security: With vigilant renewal and strict certificate policies, Let’s Encrypt helps protect against cyber threats.

Following this guide, you’ll learn the steps to secure your Nginx server on Debian with Let’s Encrypt, an essential move to fortify your web infrastructure. The guide is designed to be straightforward, catering to both experienced system administrators and those new to server management. Stay tuned for detailed instructions on enhancing your web server’s security.

Section 1: Install Certbot for Nginx on Debian 12, 11 or 10

This section will focus on installing Certbot for Nginx on a Debian-based Linux system. Certbot is a powerful tool that simplifies obtaining and configuring SSL certificates from Let’s Encrypt. It works hand-in-hand with Nginx, enabling you to seamlessly enable HTTPS on your servers.

Step 1: Update Debian Package Repositories Before Certbot for Nginx Installation

Before installing Certbot, it’s crucial to ensure that the package repositories and the existing packages on your Debian system are updated. Keeping the system updated ensures that you are installing the latest version of Certbot and its dependencies. Execute the following commands to update the package repositories and upgrade the existing packages:

sudo apt update
sudo apt upgrade

Step 2: Install Certbot Nginx Plugin on Debian 12, 11 or 10

Now that your Debian system is up to date, the next step is to install Certbot along with its Nginx plugin. The Nginx plugin is essential as it enables Certbot to interact with Nginx, automating the process of obtaining and renewing certificates and configuring Nginx to use them. Run the following command to install both Certbot and the Nginx plugin:

sudo apt install certbot python3-certbot-nginx

Section 2: Setting Up Nginx and Let’s Encrypt Certificate on Debian 12, 11 or 10

In this section, we’ll guide you through configuring Nginx and generating a Let’s Encrypt SSL certificate for your domain using Certbot. We’ll also cover the use of various options that improve the security of your server configuration.

Step 1: Generate Let’s Encrypt Certificate on Debian

Before we move forward, ensuring you have a domain name that resolves to your server’s IP address is crucial. An SSL certificate is tied to a domain name, and Let’s Encrypt validates that you control the domain you’re trying to secure.

Step 2: Certbot Configuration and SSL Certificate Generation on Debian

After successfully installing Certbot and its Nginx plugin, the next step involves running Certbot to generate and install an SSL certificate for your domain. To instruct Certbot that we’re using Nginx, we use the --nginx option. The command to run Certbot also includes various other options contributing to a more secure setup.

The --agree-tos option tells Certbot that you agree to the terms of service of Let’s Encrypt. The --redirect option instructs Certbot to set up a permanent 301 redirect from HTTP to HTTPS, ensuring that all traffic to your site is encrypted. The --hsts option adds a Strict-Transport-Security header, enforcing secure connections to your server. Lastly, the --staple-ocsp option enables OCSP Stapling, a feature that improves the performance of SSL negotiation while maintaining visitor privacy.

The email address you provide with the --email option is used by Let’s Encrypt to send notifications related to your SSL certificate, such as renewal reminders and security notices.

Please replace with your actual email address and with your domain. Run the following command:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email -d

Upon successful execution of the command, Certbot will generate an SSL certificate for your domain, configure Nginx to use this certificate, and apply the security options specified. Consequently, your server’s connection will be secure, and your website will be accessible via HTTPS.

Step 3: Alternative Certbot Configuration Method on Debian 12, 11 or 10

For those who prefer a more guided and interactive approach, Certbot provides an alternative method that prompts you for information and configuration choices. Here’s how to use this method:

Run the following command:

sudo certbot --nginx

Certbot will initiate an interactive session. Below is a walkthrough of the prompts you may encounter:

  1. Enter email address (used for urgent renewal and security notices): Provide your email address. Let’s Encrypt will use this for communication regarding your certificates.
  2. Agree to the Let’s Encrypt terms of service: You will be asked to agree to the terms of service. Input A to agree.
  3. Share your email with the Electronic Frontier Foundation for updates on their work: If you want to support the EFF, input Y for yes. Otherwise, input N for no.
  4. Which names would you like to activate HTTPS for: Certbot will display the domain names it can issue certificates for. Input the numbers corresponding to your domains or leave them blank for all.
  5. Select the appropriate action: You will be given an option to either:
    • 1: Attempt to reinstall the certificate
    • 2: Renew & replace the certificate (limit ~5 per 7 days)
    Select the option that suits your needs.
  6. Choose whether or not to redirect HTTP traffic to HTTPS: You will be asked if you want to redirect HTTP traffic to HTTPS. This is advisable for most websites:
    • 1: No redirect – Make no further changes to the webserver configuration.
    • 2: Redirect – Make all requests redirect to secure HTTPS access.
    Select option 2 for better security.

Once you have gone through all the prompts and the process is complete, Certbot will output a message similar to the one mentioned previously, indicating the location of your certificate files and further information.

Section 3: Establish Automatic Renewal for Nginx SSL Certificates with Cron on Debian 12, 11 or 10

The SSL certificates provided by Let’s Encrypt come with a validity period of 90 days. To prevent service interruptions due to expired certificates, setting up a mechanism for automatic certificate renewal is crucial. Certbot offers a specific command for renewing certificates, and you can automate this task using cron, a built-in job scheduler in Linux-based operating systems.

Step 1: Trial Run of Certificate Renewal on Debian

Before you commit to an automatic renewal schedule, it’s good practice to confirm that the renewal process functions correctly. You can do this by initiating a dry run, which simulates the renewal process without making any actual changes:

sudo certbot renew --dry-run

Step 2: Setting up the Certificate Renewal Schedule on Debian

Provided that the dry run proceeds without any issues, you can now move on to scheduling automatic certificate renewals. To begin, open the crontab file in edit mode with this command:

sudo crontab -e

Next, append the following line at the bottom of the file. This line sets a daily renewal check at 2:30 AM:

30 2 * * * /usr/bin/certbot renew --quiet

Once you save and close the file, you’ve successfully set up an automatic process. Each day, cron will check whether any certificates need renewal. The --quiet flag ensures that this task runs in the background without generating output, unless an error arises.

Section 4: Enhance SSL with NGINX Configuration on Debian 12, 11 or 10

In this section, you’ll be tweaking your domain’s NGINX configuration to optimize performance. This involves setting up SSL certificates, configuring session parameters, and implementing security enhancements.

Step 1: Edit the NGINX Configuration File

To start, you need to access the configuration file for your domain within NGINX. Execute the following command:

sudo nano /etc/nginx/sites-available/your_domain

This opens up the configuration file for your domain in a text editor called nano. Once you’re in, make the following adjustments within the server block.

Step 2: Specify SSL Certificates and Key

First, set the path to your SSL certificate and its corresponding private key:

ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;

Step 3: Configure SSL Sessions

Now, you need to configure the SSL session parameters. This controls how long sessions are stored and ensures efficient re-establishment of secure connections:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # approximately 40000 sessions
ssl_session_tickets off;

Step 4: Configure Diffie-Hellman Parameters

To further bolster security, you should configure Diffie-Hellman (DH) parameters. The DH algorithm is instrumental in ensuring secure key exchanges when establishing an SSL/TLS connection.

To begin, generate a Diffie-Hellman parameter file. Generally, a longer key length equates to stronger security. Common key lengths are 2048 and 4096 bits. While 2048 bits is often deemed sufficient, opting for 4096 bits offers additional security, albeit at the expense of performance. Consider your security requirements and the capabilities of your server before making a decision.

To generate a 2048-bit DH parameter file, use the following command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Alternatively, for heightened security, you can create a 4096-bit key by executing this command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

After generating the file, specify its location in your NGINX configuration. Update the ssl_dhparam directive with the path to the file you just created:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Step 5: Set Protocols and Ciphers

To ensure high security and compatibility, specify which SSL protocols and ciphers should be used:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers [long string of ciphers here];
ssl_prefer_server_ciphers off;

Step 6: Implement HSTS

Add HTTP Strict Transport Security (HSTS) to enforce secure connections:

add_header Strict-Transport-Security "max-age=63072000" always;

Step 7: Enable OCSP Stapling

OCSP stapling is a feature that improves the SSL certificate verification process. Turn it on and ensure that the chain of trust is verified using Root CA and Intermediate certificates:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

Step 8: Specify DNS Resolver

Finally, set the IP address of your DNS resolver. This is essential for OCSP stapling:


Make sure you replace with the actual IP address of your resolver if you do not want to use the one by Cloudflare.

Step 9: Validate and Apply the Changes

Once you’re done, save and exit the file. It’s vital to validate your NGINX configuration to ensure no syntax errors. Run this command to check:

sudo nginx -t

If there are no issues, apply the changes by reloading NGINX:

sudo systemctl restart nginx


Throughout this article, we delved into securing Nginx with Let’s Encrypt SSL certificates on Debian 10, 11, and 12. We highlighted the significance of SSL certificates in ensuring secure communication between servers and clients. Beginning with installing Certbot, we explored how to obtain a free SSL certificate from Let’s Encrypt. We also discussed configuring Nginx to leverage the SSL certificate, automating the renewal process through cron jobs, and fortifying security via Diffie-Hellman parameters.

As a final recommendation, monitoring the logs and keeping the system current regularly is essential. These practices will ensure that you are informed of potential issues and that your server is fortified against the latest security vulnerabilities.