27 Jan

Adding SSL with Let’s Encrypt and NGINX

Editor – This is an update to a previous blog post about using Let’s Encrypt certificates with NGINX. This new blog is based on newly added NGINX support in certbot.

The Certbot client supports two types of plugins for obtaining and installing certificates: authenticators and installers.

Authenticators validates that you control the domain(s) you are requesting a certificate for, obtains a certificate for the specified domain(s), and places the certificate in the /etc/letsencrypt directory on your machine. The authenticator does not install the certificate (it does not edit any of your server’s configuration files to serve the obtained certificate).

Installers are Plugins used with the install command to install a certificate. These plugins can modify your webserver’s configuration to serve your website over HTTPS using certificates obtained by certbot.

Let’s Encrypt client provides 3 plugins for different web servers.

apache – Automates obtaining and installing a certificate with Apache 2.4 on Debian-based distributions with libaugeas0 1.0+.
webroot – Obtains a certificate by writing to the webroot directory of an already running webserver.
nginx – Automates obtaining and installing a certificate with Nginx.
standalone – Uses a “standalone” webserver to obtain a certificate. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired. Requires port 80 or 443 to be available.
manual – Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way.

We will be using the webroot plugin for this guide

1. Add the certbot repository:

$ sudo add-apt-repository ppa:certbot/certbot

Now install certbot:

$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

2. Set up NGINX
Add the webroot on the nginx server block

$ sudo vi /etc/nginx/sites-available/example.com
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;

#LetsEncrypt webroot
location ~ /.well-known {
allow all;
root /home/www/example;
$ sudo nginx -t
$ sudo service nginx restart
3. Obtain the SSL certificate
$ sudo certbot certonly --webroot -w /home/www/example/ -d example.com -d www.example.com

4. Update NGINX
$ sudo vi /etc/nginx/sites-available/example.com

Check if the settings are updated by the

server {
listen 80;
server_name example.com www.example.com;

# Redirect non-https traffic to https
location / { return 301 https://$host$request_uri; }
server {
listen 443 ssl;
server_name example.com www.example.com;

# RSA certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
$ sudo nginx -t
$ sudo service nginx restart

To obtain a new certificate that contains additional domains without replacing your existing certificate you must use the –duplicate option.

For example:
$ /usr/bin/certbot --duplicate certonly --webroot -w /home/www/example/ -d example.com -d www.example.com -d sub.example.com


$ sudo certbot --nginx -d conva.net -d home/www/example/ -d example.com -d www.example.com -d sub.example.com

5. Add R
sudo crontab -e

Add line on crontab
12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log