Lets encrypt.org setup guide with nginx and ubuntu - the manual guide: how to get a free SSL certificate

Letsencrypt.org is one of a few companies promoting internet encryption - by offering free trusted SSL certificates.

On this page we will run through the commands you can use to setup a free SSL cert on NGINX, and Ubuntu.

Prerequisites: ssh, root access, linux (in this case, ubuntu), git.

1: Clone the letsencrypt repository from github:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

2. Change directory:

cd /opt/letsencrypt

3. Generate the certificate.

Note for this step to work, your A record for your domain must be pointing to the server, and the webroot must be already configured.

Replace example.com, and your --webroot-path directory:

./letsencrypt-auto certonly -a webroot --webroot-path=/home/user/www -d example.com -d www.example.com

4. Your certificate will be at the following path:


... If we list these files (ls /etc/letsencrypt/live/example.com/:

lrwxrwxrwx 1 root root 36 May  5 02:53 cert.pem -> ../../archive/example.com/cert1.pem
lrwxrwxrwx 1 root root 37 May  5 02:53 chain.pem -> ../../archive/example.com/chain1.pem
lrwxrwxrwx 1 root root 41 May  5 02:53 fullchain.pem -> ../../archive/example.com/fullchain1.pem
lrwxrwxrwx 1 root root 39 May  5 02:53 privkey.pem -> ../../archive/example.com/privkey1.pem

5. Add the above to your nginx configuration (assuming you already have a server block with ssl setup, add the following lines)

server {
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

6. While we are on the topic, here is how to make your NGINX SSL connection more secure:

First, run the following.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Then, add the following to above server block:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

Don’t forget to restart nginx once you finish!

sudo service nginx restart

You should now be able to visit your website at https://example.com, without any browser warnings and a high level of security.