LetsEncrypt with Nginx on Debian

To setup letsencrypt with Nginx, first you will need to install prerequisites

apt-get update
apt-get install nano

Get the letsencrypt certificate file, and run it

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto

If you haven't already, install Nginx

apt-get update
apt-get install nginx

Make the letsencrypt client file executable

chmod a+x /usr/local/sbin/certbot-auto

Add the .well-known directory to your nginx configuration to make sure it will be accessible to the letsencrypt client

nano /etc/nginx/sites-available/default

Adding the following location line to the server block in your Nginx configuration

location ~ /.well-known {
    allow all;
}

Restart Nginx

service nginx restart

Generate the SSL certificate using the letsencrypt client

Change --webroot path if needed and change example.com and www.example.com to your domain

certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

If everything was successful, you should end up seeing something like this

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your
cert will expire on 2017-01-03. To obtain a new or tweaked version
of this certificate in the future, simply run certbot-auto again.
To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

To add the SSL certificate to your website, you will again need to edit the configuration file

nano /etc/nginx/sites-available/default

Find the server block, and comment out the lines that configure the server to listen on port 80.

Next, you will need to configure your server to listen on port 443. (Note: Edit all instances of example.com to your own domain)

    listen 443 ssl;

    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Now restart nginx to load the new SSL Certs,

service nginx restart

To renew your certificates, you can run

certbot-auto renew

Last modified: February 27 2017 15:46:03