Skip to content

Instantly share code, notes, and snippets.

Last active October 16, 2023 09:17
  • Star 14 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
SSL via Let's Encrypt (nginx server)

Nginx SSL via Let's Encrypt and

This guide is intended to walk you through installation of a valid SSL on your server for your site at This example is using root user, you may need to use sudo if you encounter problems such as write permissions.


  • Install on your server. This will create a folder in your home directory and more importantly create an everyday cron job to check and renew certificates if needed.
  • Install nginx server (different per distibution so just make sure you have it up and running)

NOTE: It is important that you don't deny access to hidden files in your system. Check your nginx config file for this:

location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;

and remove deny all line from above.

Issuing a certificate

Command: --issue -d -w /srv/www/

where is the main domain we issue cerficate and /srv/www/ where your nginx root's configuration. Generate/issued certs will be placed in ~/


  • You must point your A record to the domain properly to the domain.
  • Use sudo if needed.
  • You must have write access to the nginx's root folder

Sample success issue of certification

Creating account key
Use default length 2048
Account key exists, skip
Skip register account key
Creating domain key
Use length 2048
Creating csr
Verify each domain
Getting token for
Getting token for
Verify finished, start to sign.
Cert success.

Your cert is in /root/
The intermediate CA cert is in /root/
And the full chain certs is there: /root/

Updating nginx config

Modify your nginx config and add the following below in your server block.

server {
    listen 443 ssl;
    ssl_certificate /root/; # use fullchain.cer for complete certificate
    ssl_certificate_key /root/; # keep this private as much as possible

    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 60m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ## Enable below if you will follow `Improve Security` below
    # ssl_dhparam /etc/ssl/certs/dhparams.pem;
    # add_header Strict-Transport-Security max-age=31536000;

BONUS: Force https config as per below:

Improve security

To improve security, generate Forward Secrecy & Diffie Hellman Ephemeral Parameters

cd /etc/ssl/certs/
openssl dhparam -out dhparams.pem 4096

NOTE: If you follow this step, uncomment needed lines in nginx config above. But hey grab a coffee, that will surely take a while. :)

Voila! Success

Test and reload nginx server

nginx -t service nginx reload or whatever as per your distro.

Testing SSL Quality at Qually SSL Labs or head straight here and type in your https site url.

Visit your site at and you should see it properly without errors if everything went well.

Transferring location of certificates

If you need to transfer the certificate to another location, see this and make the corresponding update in your nginx config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment