Install a Let's Encrypt SSL (Nginx)

You can add a Let's Encrypt SSL certificate to any website hosted on your server. You can get more information about Let's Encrypt and their SSL certificates on their website.

You must renew Let's Encrypt SSL certificates every 90 days, otherwise the certificate will expire and your website will generate errors.

Prerequisites

This article assumes a few things:

  • Your domain is pointed to your server
  • You have Git installed
  • You have NGINX installed as your web server (we also recommend creating NGINX server blocks)

Install the Let's Encrypt application

  1. Connect to your server via SSH (Mac/Windows)
  2. Clone the Let's Encrypt program from Git:
    sudo git clone https://github.com/letsencrypt/letsencrypt
  3. Move into the letsencrypt directory:
    cd letsencrypt
  4. Install the letsencrypt application:
    ./letsencrypt-auto

Create your certificate

  1. Create a DOMAINS variable for the URLs you want to secure (these are also known as common names):
    export DOMAINS="your domain name,www.your domain name"
  2. Create a DIR variable which stores the root of your website (we're assuming you've used our guide to create NGINX server blocks):
    export DIR=/usr/share/nginx/your domain name
  3. Create your certificate:
    ~/letsencrypt/letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR -d $DOMAINS
  4. Enter your email address and then press enter.
  5. Agree to Let's Encrypt's terms.

In the Important Notes section, in the first bullet, the letsencrypt application tells you where it's stored your certificate. Make sure to note this location because you'll need it later. It should look something like this:

/etc/letsencrypt/live/your domain name/fullchain.pem

Configure NGINX for SSL traffic

  1. Stop the NGINX process:
    sudo service nginx stop
    After running this command, websites on your server will stop working until you restart NGINX after installing your SSL certificate.
  2. Open your website's NGINX config file:
    sudo vim /etc/nginx/sites-available/default
    ...or if you've configured NGINX server blocks:
    sudo vim /etc/nginx/sites-available/your domain name
  3. Delete the following two lines from the first server block:
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
  4. Add, edit, or make sure you have the following lines (none of the lines should be duplicates):
    listen 443 ssl;
    server_name your domain name www.your domain name;
    ssl_certificate /etc/letsencrypt/live/your domain name/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your domain name/privkey.pem;
    The two directives beginning with ssl_ should use the value you got from the letsencrypt application's output (Important Notes section) when you created the certificate.
  5. Add the following lines to your server block to prevent security issues from using weaker security protocols:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  6. Outside of the server block you've been using, add a new server block to redirect all non-HTTPS traffic to HTTP:
    server {
        listen 80;
        server_name your domain name www.your domain name;
        return 301 https://$host$request_uri;
    }
  7. Save and close the file:
    :wq!

Don't bother restarting NGINX yet - we'll do that after we agree to the subscriber agreement in the next section.

Agree to the Let's Encrypt Subscriber Agreement

Let's Encrypt requires you to manually set the flag indicating you have read their Subscriber Agreement. If you skip this step, you will cannot renew your certificate.

  1. Agree to the Let's Encrypt Subscriber Agreement:
    ~/letsencrypt/letsencrypt-auto certonly --agree-tos
  2. Select Automatically use a temporary webserver (standalone) and then press enter.
  3. Enter your domain name and then press Enter.
  4. If prompted, select Keep the existing certificate for now and then press enter.

Restart NGINX

Now that you've requested the SSL certificate, configured, NGINX to use it, and accepted the Subscriber Agreement, you can restart NGINX and start serving secured content.

  • sudo service nginx restart

Test your configuration

Test your SSL certificate configuration at https://www.ssllabs.com/ssltest/.

Renew your Let's Encrypt certificate

You must renew your certificate 60-90 days after you create it.

  1. Renew your certificate:
    ~/letsencrypt/letsencrypt-auto renew
  2. Complete the menu options that display.

If you'd like, instead of renewing the certificate manually every 2-3 months, you can write a script that does it for you. Let's Encrypt has some guidance on how to do that in the Writing your own renewal script section of their Getting Started guide.


Was This Article Helpful?
Thank You For Your Feedback
Glad we helped! Anything more we can do for you?
Sorry about that. How can we be more helpful?