_etc_cron.d_letsencrypt

# m h  dom mon dow   command
# call renew weekly
57 0 */7 * *    root    /etc/letsencrypt/update.sh

_etc_letsencrypt_cli.ini

rsa-key-size = 4096
email = root@mainhost.com
text = True
authenticator = webroot
webroot-path = /etc/letsencrypt/httpd_webroot

_etc_letsencrypt_update.sh

#!/bin/sh -e

root="/opt/letsencrypt"
app="$root/letsencrypt-auto"
VENV_PATH="$root/venv/"
appc="$VENV_PATH/bin/letsencrypt"
args="--config /etc/letsencrypt/cli.ini"

export VENV_PATH

# if there is parameters, exec the letsencrypt app with those
if [ "x$1" != "x" ]; then
        exec $app $args "$@"

# else, do the renew cycle
else
        # renew certs
        $app renew

        # reload nginx if everting is ok
        systemctl reload nginx
fi

# to add new cert to the pool for renewing, run:
#   ./update.sh certonly -d my.custom.domain
# remember to make sure web server is redirecting /.well-known/ to /etc/letsencrypt/httpd_webroot/.well-known/,
# or add -w /web/root/path/ to above command

_etc_nginx_sites-conf_letsencrypt.conf

location /.well-known {
    alias /etc/letsencrypt/httpd_webroot/.well-known;
}

_etc_nginx_sites-enabled_mainhost.com

server {
    listen 80;
    server_name mainhost.com;
    underscores_in_headers on;
    root /var/www/mainhost.com;

    include sites-conf/letsencrypt.conf;

    # redirect to https
    location / { return 302 https://$server_name$request_uri; }
}