Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
Install certbot client:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-autoIf you don't have any app server running on port 80:
./path/to/certbot-auto certonly --standalone -d example.com -d www.example.comIf you have an existing web server running on port 80:
./path/to/certbot-auto certonly --webroot -w /path/to/public -d example.com -d www.example.comMake sure you enter a valid email for recovery and agree to the terms. Then you should see a "cert is successfully generated" message. Example:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain_name.com/fullchain.pem.
Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leNow edit your nginx server block to use the generated certs and restart your server.
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;Note that Let's Encrypt cert expires every 3 months, but you can use a scheduled job to automatically renew it. Such as crontab.
crontab -eEdit the crontab, add this line:
#Ubuntu 14.04
1 2 * * * /path/to/certbot-auto renew --no-self-upgrade >> /path/to/letsencrypt_crontab.log
2 2 * * * sudo /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log
#Ubuntu 16.04
1 2 * * * /usr/bin/letsencrypt renew >> /path/to/letsencrypt_crontab.log
2 2 * * * /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log
You should use a random minute, and invoke this job not more than twice a day.