How to Install Nginx, Certbot, and SSL on Ubuntu 24

February 1, 2026

Below we cover setting up a domain with HTTPS on Ubuntu 24.04 LTS: Nginx, a free SSL cert via Certbot (Let’s Encrypt), and redirecting HTTP to HTTPS. When you’re done, the site will be on HTTPS with a valid certificate and auto-renewal.

Key takeaways

Install Nginx and Certbot from Ubuntu’s package manager (apt).
Point your domain’s DNS A record to the server’s IP before requesting a certificate.
Use Certbot’s Nginx plugin to obtain and install a Let’s Encrypt certificate; it can also add the HTTPS server block.
Add a 301 redirect from HTTP to HTTPS so all traffic uses SSL.
Certbot configures automatic renewal; run certbot renew --dry-run to verify.
Verify your setup with our free HTTPS checker, redirect chain, certificate validity, and SSL grade in one report.

Prerequisites

Ubuntu 24.04 LTS (or 24.10) with root or sudo access.
A domain name (e.g. example.com) that you control.
The domain’s A record pointing to your server’s public IP (and optionally www as a CNAME or another A record).

If DNS is not set up yet, add the A record and wait until ping example.com (or dig example.com) resolves to your server IP before running Certbot.

Step 1: Install Nginx

Update packages, then install Nginx.

sudo apt update
sudo apt install nginx -y

Enable Nginx so it starts on boot (and start it now):

sudo systemctl enable nginx
sudo systemctl start nginx

If you use a firewall, check whether UFW is active: sudo ufw status. If it shows active, add a rule so Nginx can accept HTTP/HTTPS; if UFW is inactive, you don’t need to add a rule.

sudo ufw allow 'Nginx Full'
sudo ufw status

Visiting http://YOUR_SERVER_IP should show the default Nginx welcome page.

Step 2: Install Certbot and the Nginx plugin

Certbot handles Let’s Encrypt and can wire SSL into Nginx for you. On Ubuntu 24, install the Certbot package and the Nginx plugin:

sudo apt install certbot python3-certbot-nginx -y

That gives you Certbot plus the Nginx plugin (it can add SSL server blocks and reload Nginx). Prefer the latest Certbot? Use Snap: sudo snap install --classic certbot and sudo ln -s /snap/bin/certbot /usr/bin/certbot. The steps below work either way.

Step 3: Configure Nginx for your domain (HTTP first)

Let’s Encrypt checks that you own the domain over HTTP (port 80). So you need a server block on port 80 for your domain; Certbot will use it for the challenge. Create a config file for your domain, swap example.com for your actual domain.

sudo nano /etc/nginx/sites-available/example.com

Paste this (replace example.com and www.example.com with your domain, and /var/www/example.com with your site’s document root):

server {
  listen 80;
  server_name example.com www.example.com;
  root /var/www/example.com;
  index index.html index.htm;
  location / {
    try_files $uri $uri/ =404;
  }
}

Create the web root and enable the site:

sudo mkdir -p /var/www/example.com
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

If you use the default site and want to avoid duplicate server_name conflicts, disable it: sudo rm /etc/nginx/sites-enabled/default. Then run nginx -t and systemctl reload nginx again.

Step 4: Obtain SSL certificate with Certbot

Run Certbot with the Nginx plugin. It will request a certificate from Let’s Encrypt, complete the HTTP challenge, and modify your Nginx config to add an HTTPS server block.

sudo certbot --nginx -d example.com -d www.example.com

You’ll be asked for your email (renewal notices), then to agree to the terms. Optionally you can share your email with the EFF. When Certbot asks whether to redirect HTTP to HTTPS, say Yes, that’s what you want.

Certbot stores certificates under /etc/letsencrypt/live/example.com/ and adds ssl_certificate and ssl_certificate_key to your Nginx config. If you chose “Redirect”, it will also add a 301 from HTTP to HTTPS.

Step 5: Ensure HTTP to HTTPS redirect

If you didn’t select “Redirect” during Certbot, or you edited the config later, add a dedicated server block for port 80 that returns a 301 to HTTPS. Open your site config:

sudo nano /etc/nginx/sites-available/example.com

You should have two server blocks: one for port 80 (possibly modified by Certbot) and one for port 443. The port-80 block should either redirect or be the only one listening on 80 and redirect. Example of a minimal HTTP→HTTPS redirect block:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

Test and reload:

sudo nginx -t
sudo systemctl reload nginx

Step 6: Automatic renewal

Certbot sets up a systemd timer (or cron) to renew before expiry, Let’s Encrypt certs last 90 days. Make sure it works:

sudo certbot renew --dry-run

If the dry run passes, real renewals will run on their own. To confirm the timer: systemctl list-timers | grep certbot.

Verify your HTTPS setup

Quick check: open http://example.com in a browser, you should land on https://... with a valid cert. For a full report (redirect chain, cert validity, SSL grade), run your domain through our free HTTPS checker.

Check your domain with HTTPS Checker

Hit a redirect loop or a cert error? We’ve got guides: HTTP to HTTPS redirect, SSL certificate errors, redirect loop.

Stuck? We’re happy to point you in the right direction or suggest next steps.