Published 26/03/2018
Last Updated 20/11/2024

15th Jan 2024: added command for Ubuntu 20+

Suppose we have a running website example.com with proper Nginx config for HTTP access. Follow three steps below we will have the website secured with HTTPS using Let's Encrypt certificates.

Install Certbot

sh # Ubuntu 20+ sudo apt-get install python3-certbot-nginx # Earlier versions sudo add-apt-repository ppa:certbot/certbot # press enter to accept sudo apt-get update sudo apt-get install python-certbot-nginx

Generating certificates

sudo certbot --nginx -d example.com

If this is the first time running certbot it will ask for your email, acceptance to terms of services then doing the challenge for the domain. If the process is successful it will continue to ask if you want to redirect http to https

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and hit enter, nginx config for the domain will be updated and reload. Testing your site to verify it works.

Certbot auto-renewal

Let's Encrypt certificates last for 90 days so we need to renew certificates before they expire.

To test renewal process, make a dry run

sudo certbot renew --dry-run

Make certbot renewal automatically by adding the command to cron

15 3 * * * /usr/bin/certbot renew --quiet

Note: If using CloudFlare the TLS-SNI challenge used by renew command would not work. We need to append this option to the renew command

15 3 * * * /usr/bin/certbot renew --quiet --preferred-challenges http