Let's Encrypt is a non-profit organisation which provides free SSL certificates for websites.

The Let's Encrypt website provides the official documentation for generating and installing a free, 3 month certificate..

To install a free SSL certificate, you first must install their Certbot ACME client on your production web server.

You can view the ACME client github page for more infornamtion about what the client does.

Installing the acme client on a production server

curl https://get.acme.sh | sh

source ~/.bashrc

acme.sh --version
acme.sh --upgrade --auto-upgrade

You can now register your email address with acme

acme.sh --register-account -m your@emailaddress.com

Generating a certificate

Create a directory in your public directory named .well-known

sudo mkdir ./public/.well-known

Ensure that your user owns this directory

sudo chown -R $USER:$USER ./public/.well-known/

Generate the certificate

acme.sh --issue -d yourdomainname.com -w /var/www/html/projectdirectory/public --server letsencrypt

If your certificate is generated correctly, the script output should inform you of the location of your new certificates.

Installing the certificate with nginx

For many variants of Linux, the location of the SSL directory is:

/etc/nginx/ssl/

Create a directory in nginx/ssl named after your project.

sudo mkdir -p /etc/nginx/ssl/projectdirectory/

Temporarily, make the nginx SSL directory 777

sudo chmod -R 777 /etc/nginx/ssl/

Run the installer

acme.sh --install-cert -d yourdomainname.com \
    --key-file       /etc/nginx/ssl/projectdirectory/key.pem  \
    --fullchain-file /etc/nginx/ssl/projectdirectory/cert.pem \

If successful, the script output should tell you what it has installed

Installing key to: /etc/nginx/ssl/projectdirectory/key.pem

Installing full chain to: /etc/nginx/ssl/projectdirectory/cert.pem

Remember to return the SSL directory to be read-only

sudo chmod -R 700 /etc/nginx/ssl/

Update the HTTPS section of your nginx config

server {
    listen              443 ssl;

    server_name         yourdomainname.com;

    ssl                 on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    ssl_certificate     /etc/nginx/ssl/projectdirectory/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/projectdirectory/key.pem;

    location / {
        root  /var/www/html/projectdirectory/;
        index  index.php;
    }
}

Adding a www version

If you also need to allow access to a www version of your site, you'll need a CNAME record in your DNS. Contact your DNS provider.

www     CNAME       600     123.123.123.123

Renewing

Your certificates will expire after 3 months, so set a reminder to log in and renew them regularly.

To renew, simply run the following command:

sudo ~/.acme.sh/acme.sh --cron --home ~/.acme.sh --force

Renew with a cron

Rather than having to remember to log in every 3 months, you can create a cron job to automatically update your ceritificates

crontab -e

0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null