SSL for everyone with Let’s Encrypt

3 min readMay 18, 2021

Let’s Encrypt is a nonprofit Certificate Authority(CA) providing TLS certificates to 260 million websites.

Install Certbot

I’m using an Ubuntu 20.4 instance on DigitalOcean for the demo and running my webserver on Nginx.

sudo apt install certbot python3-certbot-nginx

The above command downloads the certbot CLI tool along with it’s nginx plugin.

Generate Certificates

Manual Certificates

Say you have multiple subdomains available for your site e.g.
mysite.com, api.msysite.com, console.mysite.com

You might want to consider this option and generate a wildcard certificate valid for the names
1. mysite.com
2. *.mysite.com

I’m going to use insurewill.com as the domain name here

certbot certonly --manual -d 'insurewill.com,*.insurewill.com'

The above command will begin verification of the following before issuing an SSL certificate.

DNS (do you own this domain?)
Server (do you own the server?)

The generated TXT record needs to be added to your DNS provider

Say your DNS provider is Cloudflare, add a TXT record under the DNS section, and hit save. It should typically take a couple of seconds to reflect this information on edge servers worldwide.

Hit Enter and once this is validated, you should be able to proceed to server validation.

This is my default server configuration

server {
 listen 80 default_server;
 listen [::]:80 default_server;root /var/www/html;index index.html index.htm index.nginx-debian.html;server_name _;location / {
  # First attempt to serve request as file, then
  # as directory, then fall back to displaying a 404.
  try_files $uri $uri/ =404;
 }
}

So I created a file /var/www/html/.well-known/acme-challenge/XYZ and saved the generated text.

Hit Enter and you’re done with the verification. Here is an image of the complete process.

Deploy The Certificates

In order to deploy the wildcard certificate I’ve created a snippet under snippets/ssl.conf . Below is what my directory tree looks like.

/etc/nginx  # Resuable code-snippets in my site configurations
  snippets/
    ssl.conf  # All of my sites
  sites-available/
    insurewill.com
    dev.insurewill.com  # My active sites (soft link from sites-available)
  sites-enabled/
    insurewill.com
    dev.insurewill.com

snippets/ssl.conf

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/insurewill.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/insurewill.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

Adding SSL to your site

Just include the above snippet and enable SSL on any of your related domain/subdomain.

server {
    server_name insurewill.com;
    return 404;    include snippets/ssl.conf;
}server {
    if ($host = insurewill.com) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name insurewill.com;
}