Install Certbot
Debian/Ubuntu
sudo apt update
sudo apt install certbot python3-certbot-nginx
RHEL/CentOS
sudo dnf install epel-release
sudo dnf install certbot python3-certbot-nginx
FreeBSD
pkg install py39-certbot py39-certbot-nginx
Obtain Certificate
# Automatic (recommended)
sudo certbot --nginx -d example.com -d www.example.com
# Manual (webroot)
sudo certbot certonly --webroot -w /var/www/html -d example.com
# Standalone (stops nginx temporarily)
sudo certbot certonly --standalone -d example.com
Certificate Locations
/etc/letsencrypt/live/example.com/
├── fullchain.pem # Certificate + intermediate
├── privkey.pem # Private key
├── cert.pem # Certificate only
└── chain.pem # Intermediate certificate
Nginx Configuration
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include Certbot's recommended settings
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
Automatic Renewal
# Test renewal
sudo certbot renew --dry-run
# Renewal runs automatically via cron/systemd timer
# Check timer status
sudo systemctl status certbot.timer
# Manual renewal
sudo certbot renew
Renewal Hooks
# /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
#!/bin/bash
systemctl reload nginx
Wildcard Certificates
# Requires DNS validation
sudo certbot certonly --manual --preferred-challenges=dns \
-d example.com -d *.example.com
# Or with DNS plugin (e.g., Cloudflare)
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d example.com -d *.example.com
Troubleshooting
# View certificate info
sudo certbot certificates
# Check expiry
openssl x509 -dates -noout -in /etc/letsencrypt/live/example.com/cert.pem
# Force renewal
sudo certbot renew --force-renewal -d example.com
# Revoke certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem
beginner | SSL/TLS | Updated 2025-01-15
- nginx
- ssl
- letsencrypt
- certbot
- free certificate
- https