How to use Let's encrypt certificates on your NGINX web server

Let's Encrypt is a free to use certification authority which, in my opinion, has revolutionized the usage of SSL/TLS certificates.You can now use free SSL/TLS certificates on your local machines. The benefits of using a SSL/TLS certificate for your website/blog/company sites... are:

  1. Improved securiy
  2. Improved trust
  3. Ability to use HTTP/2
  4. Better Google search results

How can I use a free Let's Encrypt certificate

In order to get a free certificate you will need a tool called certbot which will handle the getting of the certificate as well as the renewal.

Certbot can be installed using snap and the following command:

sudo snap install --classic certbot

As next step you will need to change your NGINX config so that the server name points to a "real URL."

In your config for your NGINX please change the server_name directive to your URL. This could look like this:

 server {
        listen 80;
        root /var/www/cockpit;
        index index.php;

After that restart your NGINX

sudo service nginx restart

Now you will have to make sure that your A record is pointing to the public IP of your server and port 80 and 443 are forwarded to your server or opened by your firewall. If this is the case you can initiate the certificate issuing.

sudo certbot --nginx

You will be asked for your email and if you agree to the terms and conditions. The question if you are willing to share your email address is up to you.

You will now see a list of your available domains. If you want to only issue a certificate for one domain, enter the number, otherwise leave it blank and hit enter.

Certbot URL selection

After that the certificates will be obtained and you should set the redirect at the end to yes.

In you NGINX config you will now see additional inputs and you restart your NGINX again to make the changes effective.

Certbot additions to config file

How to renew the certificates?

All certificates will be valid for 90 days. It is recommended to renew them at least once a day, maybe even more often. The certifiacates will only be renewed if they are expired.

To do this, set up a cronjob

crontab -e

with the following content

1 1 * * * certbot renew

This way ever day at 1:01 am the renewal will be executed.