Letsencrypt nginx? Sure, why not. It’s FREE, easy and with auto-renewals too!

Here’s how to do it on an Ubuntu server:

Step 1 — Install and configure certbot

# Update package repositories and install git
apt-get update
apt-get install git
# Change to working directory and create letsencrypt directories
cd /opt
git clone https://github.com/certbot/certbot
mkdir /etc/certbot
mkdir -p /var/www/letsencrypt

Step 2 — Create the certbot configuration file

nano /etc/certbot/domain.com.conf

then copy and paste this into it, fully edit then save with CTRL-X

authenticator = webroot
webroot-path = /var/www/letsencrypt

# Generate certificates for specified domains, comma separated
domains = www.domain.com, domain.com, whateveryouwant.domain.com

# Register certs with your email address
email = your@domain.com

# Use a 4096 bit RSA key
rsa-key-size = 4096

Step 3 — Edit your nginx config

Open up your domain’s config and add this location block:

server {  
listen 80;

server_name domain.com

location ^~ /.well-known {
alias /var/www/letsencrypt/.well-known;

# ... snip ... #

Add the location block in the http server block, or if you already have a valid certificate you can place it in the existing https block.

Test your changes by running nginx -t then if all good apply your changes by restarting nginx withservice nginx restart

Step 4 — Request your certificate

Run this and follow the instructions on screen:

/opt/certbot/letsencrypt-auto certonly -c /etc/certbot/domain.com.conf

Step 5 — Configure nginx to use your new certs

If you already have a cert then just update the ssl_certificate and ssl_certificate_key with the new details, if not then you’ll need the whole SSL block, like this:

# Redirect to HTTPS
server {
listen 80;

server_name domain.com

return 301 https://domain.com$request_uri;

# HTTPS server block
server {
listen 443 ssl;

server_name domain.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

location ^~ /.well-known {
alias /var/www/letsencrypt/.well-known;

# ... snip ... #

Test by running nginx -t and if it’s fine run service nginx restart

Step 6 — Check everything works

Head on over to Qualys SSL Labs and run an SSL Server Test, hopefully you’ll get an A but the goal is A+ which requires configuration beyond the scope of this article, it’s not that difficult.

Step 7 — Configure auto-renewal

Letsencrypt certificates are issued for a 3-month period but this isn’t a problem, just set up a monthly cron script.

Run this command:

nano /etc/cron.monthly/renew-ssl-certificates

and copy, paste and save it:

/opt/certbot/letsencrypt-auto certonly -c /etc/certbot/domain.com.conf --renew-by-default
service nginx restart

and finally, make the cron job executable

chmod +x /etc/cron.monthly/renew-ssl-certificates

Yipee! You’re done. No need to pay for another SSL cert ever again.

Note: If you have a server with very low memory the certbot may crash with some horrible looking errors, in this case all you need to do is create a temporary swap file before step 4 if you don’t already have one, you’ll also need to script that in the cron job.

Article by:

Adam Sculthorpe, Co-Founder of PatrolX

Opinions are my own. Now get after it!


Like what you read? Give PatrolX a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.