Install a Let's Encrypt SSL (Nginx)

You can add a Let's Encrypt SSL certificate to any website hosted on your server. You can get more information about Let's Encrypt and their SSL certificates on their website.

Warning: You must renew Let's Encrypt SSL certificates every 90 days, otherwise the certificate will expire and your website will generate errors.


This article assumes a few things:

  • Your domain is pointed to your server
  • You have Git installed
  • You have NGINX installed as your web server (we also recommend creating NGINX server blocks)

Install the Let's Encrypt application

  1. Connect to your server via SSH (Mac/Windows)
  2. Clone the Let's Encrypt program from Git:
    sudo git clone
  3. Move into the letsencrypt directory:
    cd letsencrypt
  4. Install the letsencrypt application:

Create your certificate

  1. Create a DOMAINS variable for the URLs you want to secure (these are also known as common names):
    export DOMAINS="your domain name,www.your domain name"
  2. Create a DIR variable which stores the root of your website (we're assuming you've used our guide to create NGINX server blocks):
    export DIR=/usr/share/nginx/your domain name
  3. Create your certificate:
    ~/letsencrypt/letsencrypt-auto certonly --server -a webroot --webroot-path=$DIR -d $DOMAINS
  4. Enter your email address and then press enter.
  5. Agree to Let's Encrypt's terms.

In the Important Notes section, in the first bullet, the letsencrypt application tells you where it's stored your certificate. Make sure to note this location because you'll need it later. It should look something like this:

/etc/letsencrypt/live/your domain name/fullchain.pem

Configure NGINX for SSL traffic

  1. Stop the NGINX process:
    sudo service nginx stop
    Warning: After running this command, websites on your server will stop working until you restart NGINX after installing your SSL certificate.
  2. Open your website's NGINX config file:
    sudo vim /etc/nginx/sites-available/default
    ...or if you've configured NGINX server blocks:
    sudo vim /etc/nginx/sites-available/your domain name
  3. Delete the following two lines from the first server block:
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
  4. Add, edit, or make sure you have the following lines (none of the lines should be duplicates):
    listen 443 ssl;
    server_name your domain name www.your domain name;
    ssl_certificate /etc/letsencrypt/live/your domain name/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your domain name/privkey.pem;
    The two directives beginning with ssl_ should use the value you got from the letsencrypt application's output (Important Notes section) when you created the certificate.
  5. Add the following lines to your server block to prevent security issues from using weaker security protocols:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
  6. Outside of the server block you've been using, add a new server block to redirect all non-HTTPS traffic to HTTP:
    server {
        listen 80;
        server_name your domain name www.your domain name;
        return 301 https://$host$request_uri;
  7. Save and close the file:

Note: Don't bother restarting NGINX yet - we'll do that after we agree to the subscriber agreement in the next section.

Agree to the Let's Encrypt Subscriber Agreement

Let's Encrypt requires you to manually set the flag indicating you have read their Subscriber Agreement. If you skip this step, you will cannot renew your certificate.

  1. Agree to the Let's Encrypt Subscriber Agreement:
    ~/letsencrypt/letsencrypt-auto certonly --agree-tos
  2. Select Automatically use a temporary webserver (standalone) and then press enter.
  3. Enter your domain name and then press Enter.
  4. If prompted, select Keep the existing certificate for now and then press enter.

Restart NGINX

Now that you've requested the SSL certificate, configured, NGINX to use it, and accepted the Subscriber Agreement, you can restart NGINX and start serving secured content.

  • sudo service nginx restart

Test your configuration

Test your SSL certificate configuration at

Renew your Let's Encrypt certificate

You must renew your certificate 60-90 days after you create it.

  1. Renew your certificate:
    ~/letsencrypt/letsencrypt-auto renew
  2. Complete the menu options that display.

If you'd like, instead of renewing the certificate manually every 2-3 months, you can write a script that does it for you. Let's Encrypt has some guidance on how to do that in the Writing your own renewal script section of their Getting Started guide.

Bài này có hữu ích không?
Thanks for your feedback. To speak with a customer service representative, please use the support phone number or chat option above.
Rất vui vì chúng tôi đã giúp được bạn! Chúng tôi có thể làm gì thêm cho bạn?
Rất tiếc về điều đó. Tell us what was confusing or why the solution didn’t solve your problem.