SSL for Nginx sites with Let's Encrypt

by Giang, last updated 26 Dec 2018

Suppose we have a running website with proper Nginx config for HTTP access. Follow three steps below we will have the website secured with HTTPS using Let's Encrypt certificates.

1. Install Certbot

sudo add-apt-repository ppa:certbot/certbot
# press enter to accept
sudo apt-get update
sudo apt-get install python-certbot-nginx

2. Generating certificates

sudo certbot --nginx -d

If this is the first time running certbot it will ask for your email, acceptance to terms of services then doing the challenge for the domain. If the process is successful it will continue to ask if you want to redirect http to https

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and hit enter, nginx config for the domain will be updated and reload. Testing your site to verify it works.

3. Certbot auto-renewal

Let's Encrypt certificates last for 90 days so we need to renew certificates before they expire.

To test renewal process, make a dry run

sudo certbot renew --dry-run

Make certbot renewal automatically by adding the command to cron

15 3 * * * /usr/bin/certbot renew --quiet

Note: If using CloudFlare the TLS-SNI challenge used by renew command would not work. We need to append this option to the renew command

15 3 * * * /usr/bin/certbot renew --quiet --preferred-challenges http