Setting up Let’s Encrypt – SSL for Domains


Configure the SSL for the domain

Set up the web root at


Install Certbot

1. Install Certbot

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot


Obtain SSL Certificate

1. Create /.well-known in web root path of your site

sudo mkdir /var/www/

2. Update your site nginx configuration

sudo nano /etc/nginx/sites-available/mydomain.conf
server {
root /var/www/;


  # Add this to your server block
  location ~ /.well-known {
    allow all;


3. Restart NGINX

sudo service nginx restart

4. Generate certificate files from certbot

sudo certbot certonly --webroot --webroot-path=/var/www/ -d

email : [email protected]

5. Generate Strong Diffie-Hellman Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


Configure TLS/SSL on Web Server (Nginx)

1. Create a Configuration Snippet Pointing to the SSL Key and Certificate

sudo nano /etc/nginx/snippets/
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

2. Create a Configuration Snippet with Strong Encryption Settings

sudo nano /etc/nginx/snippets/ssl-params.conf

# from
# and

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
# disable HSTS header for now
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

3. Adjust the Nginx Configuration to Use SSL

sudo nano /etc/nginx/sites-available/mydomain.conf
server {
  listen 80;

  return 301 https://$server_name$request_uri;

server {
  # SSL configuration

  #listen 443 ssl http2 default_server;
  listen 443 ssl http2;

  root /var/www/;

  location ~ /.well-known {
    allow all;

  include snippets/;
  include snippets/ssl-params.conf;

4. Restart Nginx

sudo service nginx restart

5. Access the domain


Set Up Auto Renewal

* Since certificate files are valid up to 90 days

1. Add to crontab

sudo crontab -e
15 3 * * * sudo /usr/bin/certbot renew --quiet --renew-hook "sudo /bin/systemctl reload nginx"
Previous Ubuntu - For Developer, By Developer
Next Cloud Foundry - Hosting a Static Web App