Tutorial for installing Let's Encrypt for nginx. Works also with reverse proxy like CloudFlare.
- Ubuntu 16.04 Server 64-bit
- Nginx 1.10.0
- letsencrypt-auto
#Install letsencrypt-auto Use following command to install Let's Encrypt Client:
sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
When it's done, it may say this:
Installation succeeded.
No installers seem to be present and working on your system; fix that or try running certbot with the "certonly" command
root@kaffe:~/letsencrypt#
Run following command every time that you want to create a certificate.
/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --webroot-path /usr/share/nginx/html/ --renew-by-default --email you@gmail.com --text --agree-tos -d yourdomain.com -d www.yourdomain.com
Replace:
- you@gmail.com with your email
- yourdomain.com with your domain
- /usr/share/nginx/html/ with your website root domain
If you get message like this, you've created your certificate successfully:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your
cert will expire on 2016-10-17. To obtain a new or tweaked version
of this certificate in the future, simply run letsencrypt-auto
again. To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
root@kaffe:~/letsencrypt#
Your certificate's path is:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
And private key is in:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
Go to the sites-available folder with this command:
cd /etc/nginx/sites-available
Then, open your Vhost.
nano [your conf file, e.g. yourdomain.com]
Add this line to vhost, if you want to force SSL:
return 301 https://$server_name$request_uri;
Open your Vhost if it's not opened yet (you can also use instead of nano some another text editor, like vim).
nano [your conf file, e.g. yourdomain.com]
Copy your existing VHost to end of the file.
Change 80 (HTTP port) to 443 (HTTPS port), you can use another port if you want, and add this to under listen 443:
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
Now your VHost should be like this:
server {
listen 80;
listen [::]:80;
root /your/website/root;
index index.php index.html index.htm;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
server {
listen 443;
listen [::]:443;
root /your/website/root;
index index.php index.html index.htm;
server_name yourdomain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Use following command to restart your nginx:
sudo service nginx restart
If you don't get any message of it, and https://yourdomain.com/ works, you are installed successfully Let's Encrypt certificate to your web server!