Tech Blog

Free and Auto-Renewing SSL Certificates: Letsencrypt Quick Setup

Free and Auto-Renewing SSL Certificates: Letsencrypt Quick Setup

Recently updated on

You may have heard of Letsencrypt, which is a new SSL certificate authority that provides free SSL certificates that are supported in all modern browsers. This service is also designed to help automate the issuance of SSL certificates. 

The following describes how to use Letsencrypt to configure auto-renewing SSL certificates on an Ubuntu 14.04* server with Nginx (the steps are a little different with Ubuntu 16.04 but very similar).  This guide assumes that you already have a site hosted with Nginx with the domain already pointed at your web server.  There's some detailed information at and; however, this guide helps boil it down into a single use-case.


First, we need to install Certbot. Certbot is the Letsencrypt client that runs on a the server requesting the SSL certificate.  

Create a directory to install Certbot into and install.

cd /opt/
sudo wget
sudo chmod a+x certbot-auto
sudo ./certbot-auto

Create a letsencrypt directory under the Nginx webroot.  We chose to put it under the following location, but it could go anywhere as long as Nginx can serve it.

cd /iscape/sites/example/htdocs/
mkdir letsencrypt

Next, create a configuration file for Letsencrypt. The default location that Certbot checks for this config file is /etc/letsencrypt/cli.ini. This file helps us reduce the number of command line flags that need to be passed to the Certbot command when we execute it. 

# vim /etc/letsencrypt/cli.ini

# increase key size
rsa-key-size = 2048 # Or 4096

# this address will receive renewal reminders
email =

# turn off the ncurses UI, so this can be run as a cron job
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /iscape/sites/example/htdocs/letsencrypt

Certbot will need to create a random file inside of the webroot-path directory specified in the config.  Nginx will serve up this file, and Letsencrypt will use it to validate that you own the domain. To allow Nginx to serve this file, you need to add the following location block to both the http and https server blocks in your Nginx config.  We typically define a single locations.conf file which is then included in both server blocks.  See the example below. 

# vim /iscape/sites/example/etc/nginx/locations.conf
# letsencrypt challenge directory
location /.well-known/acme-challenge {
    root /iscape/sites/example/htdocs/letsencrypt;

Here is an example Nginx server config that you would add the location includes to.

# vim /iscape/sites/example/etc/nginx/server.conf
# Nginx Server Config File
server {
   listen 80;
   # includes the above locations.conf file.   
   include /iscape/sites/example/etc/nginx/locations.conf;
server {   
    listen 443;

    # includes the above locations.conf file.
    include /iscape/sites/example/etc/nginx/locations.conf;

Next, for the above to take effect, we need to test the Nginx config and restart Nginx.  At Imaginary Landscape, we use supervisord to control Nginx so that would look something like the following.  (However, most likely you will run "sudo service nginx restart"). 

sudo nginx -tc /etc/nginx/nginx.conf && sudo supervisorctl restart nginx

Now that Nginx is able to serve up the Certbot-generated challenge file, we need to actually run the Certbot command to generate the certificate. The first time you run this command with a particular email address (from the config above), Certbot will prompt you through some questions to register that email. This command does a lot: verifies that you own the domain and it actually generates the SSL certificate and private key.

sudo /opt/certbot-auto --config /etc/letsencrypt/cli.ini certonly -d -d

(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Using the webroot path /iscape/sites/example/htdocs/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert will
   expire on 2017-02-05. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

If this runs successfully, you should have a new set of certificate and keys in the following locations (in this example). 

  • /etc/letsencrypt/live/ - the files within are symlinks to current keys and certs
    • privkey.pem - private key for the certificate
    • cert.pem - the certificate by itself
    • chain.pem - the root and intermediary certs chain needed by the browser excluding the server certificate.
    • fullchain.pem - all certificates in the chain including the server certificate
  • /etc/letsencrypt/archive/ - contains all of the current and old certs

Next, you need to update Nginx again to use the new SSL certificate and private key. 

server {
  listen 443;   server_name;
  ssl on;
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;

As before, test and restart Nginx.

sudo nginx -tc /etc/nginx/nginx.conf && sudo supervisorctl restart nginx

At this point, you should have a fresh SSL certificate installed.  If you point a web brower at your domain, hard-refresh, and check the SSL certificate properties, you should see that the new SSL certificate is in place. 


Letsencrypt issues certificates for 3-month periods. The process of renewing can be automated so that you never need to manually install a certificate again on this server. 

To do this, we just need to create a script in cron.monthly.  Cron will run this on the first day of the month; if the certificate is less than a month from expiring, the certificate will be renewed automatically. 

# vim /etc/cron.monthly/letsencrypt


/opt/certbot-auto renew  --text --no-self-upgrade > /var/log/letsencrypt_cron.log 2>&1

supervisorctl stop nginx
supervisorctl start nginx

Finally, we want to change the permissions on this script so that it's executable.

chmod 755 /etc/cron.monthly/letsencrypt

That's it! Cron will take care of the rest and auto-renew the cert if needed. A few months down the line, just before your new Letsencrypt certificate is about to expire, you should check the certificate expiration date to make sure auto-updating is happening properly.


Comments are closed.