How to do SSL with Let's Encrypt

8th November 2022

Let's Encrypt is a non-profit organisation which provides free SSL certificates for websites.

The Let's Encrypt website provides the official documentation for generating and installing a free, 3 month certificate..

To install a free SSL certificate, you first must install their Certbot ACME client on your production web server.

You can view the ACME client github page for more infornamtion about what the client does.

Installing the acme client on a production server

curl | sh

source ~/.bashrc --version --upgrade --auto-upgrade

You can now register your email address with acme --register-account -m

Generating a certificate

Create a directory in your public directory named .well-known

sudo mkdir ./public/.well-known

Ensure that your user owns this directory

sudo chown -R $USER:$USER ./public/.well-known/

Generate the certificate --issue -d -w /var/www/html/projectdirectory/public --server letsencrypt

If your certificate is generated correctly, the script output should inform you of the location of your new certificates.

Installing the certificate with nginx

For many variants of Linux, the location of the SSL directory is:


Create a directory in nginx/ssl named after your project.

sudo mkdir -p /etc/nginx/ssl/projectdirectory/

Temporarily, make the nginx SSL directory 777

sudo chmod -R 777 /etc/nginx/ssl/

Run the installer --install-cert -d \
    --key-file       /etc/nginx/ssl/projectdirectory/key.pem  \
    --fullchain-file /etc/nginx/ssl/projectdirectory/cert.pem \

If successful, the script output should tell you what it has installed

Installing key to: /etc/nginx/ssl/projectdirectory/key.pem

Installing full chain to: /etc/nginx/ssl/projectdirectory/cert.pem

Remember to return the SSL directory to be read-only

sudo chmod -R 700 /etc/nginx/ssl/

Update the HTTPS section of your nginx config

server {
    listen              443 ssl;


    ssl                 on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    ssl_certificate     /etc/nginx/ssl/projectdirectory/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/projectdirectory/key.pem;

    location / {
        root  /var/www/html/projectdirectory/;
        index  index.php;

Adding a www version

If you also need to allow access to a www version of your site, you'll need a CNAME record in your DNS. Contact your DNS provider.

www     CNAME       600


Your certificates will expire after 3 months, so set a reminder to log in and renew them regularly.

To renew, simply run the following command:

sudo ~/ --cron --home ~/ --force

Renew with a cron

Rather than having to remember to log in every 3 months, you can create a cron job to automatically update your ceritificates

crontab -e

0 0 * * * "/home/user/"/ --cron --home "/home/user/" > /dev/null