certbot SSL Let’s Encrypt

Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs.

$ sudo apt-get install python-certbot-nginx

$ sudo certbot --nginx

certbot certonly --email my_email@domain.com -d domain.com --standalone

certbot --authenticator standalone certonly --email myemail@domin.com -d www.{DOMAIN} -d {DOMAIN} --pre-hook "service nginx stop" --post-hook "service nginx start"

renew one cert: certbot renew --cert-name ${cert_name}

Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:

$ sudo certbot --nginx certonly

Note:

the Nginx plugin with certonly does the following:
make temporary config changes
(adding a new server block to pass an ACME Challenge)
performs a graceful reload
reverts all changes
performs another graceful reload

This appears to be a reliable process, but if you don’t want Certbot to touch your Nginx process or files in any way, you can use the webroot plugin.

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:

certbot renew