First run this command in console:
certbot certonly --webroot -w /path/to/webroot/ -d domain.name
Then, create /etc/nginx/snippets/ssl-domain.name.conf
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
Next, update domain.name.conf in /etc/nginx/sites-available/
server {
listen 443 ssl http2;
server_name domain.name;
include snippets/domain.name.conf;
include snippets/ssl-params.conf;
...
}
For creation ssl-params.conf, please refer to this guide. Example please refer below:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
There is upcoming TLSv1.3 under beta, unsure if it is already supported in nginx. If you're interested, you can try to follow this excellent guide from Mattias Geniar
Thank you @mattiasgeniar for the TLS 1.3 guide