Isaac Sloan - Lets Encrypt Setup and Auto Renew (NGINX)

Lets Encrypt Setup and Auto Renew (NGINX)

Installation and Setup

sudo su  - root # NOTE: This has to be run as root. Be very careful!
cd /usr/sbin
chmod a+x certbot-auto

Nginx Configuration

Add the following to your nginx server configuration block vim sites-enabled/

  location ^~ /.well-known/ {
    root /usr/share/nginx/html;

Add folder for well known mkdir -p /usr/share/nginx/html

LetsEncrypt Configuration

Create mkdir -p /etc/letsencrypt && vim /etc/letsencrypt/cli.ini and add the following template. Make sure to change domains, email, etc options.

# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
# email =

# Uncomment and update to generate certificates for the specified
# domains.
domains =,

# Uncomment to use a text interface instead of ncurses
# text = True

authenticator = webroot
webroot-path = /usr/share/nginx/html

Test by running certbot-auto certonly -c /etc/letsencrypt/cli.ini

If everything goes well you should see:

 - Congratulations! Your certificate and chain have been saved at
   "/etc/letsencrypt/live/". Your cert will
   expire on 2016-10-27. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Lets Encrypt:
   Donating to EFF:          

Now add the certs to your nginx server block and your site will be encrypted. vim /opt/nginx/conf/sites-enabled/

server {
  listen         80;
  #server_name _; # to match all domains on port 80.

  location / {
    return       301 https://$host$request_uri;
  location ^~ /.well-known/ {
    root /usr/share/nginx/html;

server {
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;
  add_header Strict-Transport-Security "max-age=31536000";

Auto Renew

Run certbot-auto renew --dry-run to test that renewals work.

If successful then run crontab -e and add:

13 22 * * * /usr/sbin/certbot-auto renew --quiet --no-self-upgrade
15 22 * * * service nginx restart

Now your server will check if it needs new certs once a day.

July 20, 2016
comments powered by Disqus