Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
Install certbot client:
chmod a+x certbot-auto
If you don't have any app server running on port 80:
./path/to/certbot-auto certonly --standalone -d example.com -d www.example.com
If you have an existing web server running on port 80:
./path/to/certbot-auto certonly --webroot -w /path/to/public -d example.com -d www.example.com
Make sure you enter a valid email for recovery and agree to the terms. Then you should see a "cert is successfully generated" message. Example:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain_name.com/fullchain.pem. Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now edit your nginx server block to use the generated certs and restart your server.
Note that Let's Encrypt cert expires every 3 months, but you can use a scheduled job to automatically renew it. Such as crontab.
Edit the crontab, add this line:
#Ubuntu 14.04 1 2 * * * /path/to/certbot-auto renew --no-self-upgrade >> /path/to/letsencrypt_crontab.log 2 2 * * * sudo /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log #Ubuntu 16.04 1 2 * * * /usr/bin/letsencrypt renew >> /path/to/letsencrypt_crontab.log 2 2 * * * /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log
You should use a random minute, and invoke this job not more than twice a day.