Requirements

Software Version
Ubuntu 16.04
Nginx 1.10

Installation

_$: sudo apt install letsencrypt

Prepare the web server

We have a web server for the domain example.com. The path for that web is /var/www/example-com.

Create a new directory for letsencrypt:

_$: mkdir /var/www/example-com/letsencrypt

Let’s encrypt will place a file in /var/www/example-com/letsencrypt, so it must be publicly accesible. You can place a small index.html file in there to see if it is actually publicly accesible.

/var/www/example-com/letsencrypt/index.html:
--------------------------------------------
<!DOCTYPE html>
<html>
  <head>
    <title>example.com</title>
  </head>
  <body>
    <h1>Let's Encrypt</h1>
  </body>
</html>

Go to http://example.com/letsencrypt/index.html and see if you see the contents of the HTML file we just created.

Let’s Encrypt will also create a directory called .well-known inside /var/www/example/letsencrypt, so we must do the same check. The easiest way is to create another index.html file in that directory.

/var/www/example-com/letsencrypt/.well-known/index.html:
--------------------------------------------------------
<!DOCTYPE html>
<html>
  <head>
    <title>example.com</title>
  </head>
  <body>
    <h1>Let's Encrypt Well-known</h1>
  </body>
</html>

Go to http://example.com/letsencrypt/.well-known/index.html and see if you see the contents of the HTML file.

Example: Configure Nginx server to receive a Let’s Encrypt certificate

A possible configuration valid for Nginx that will allow you to install Let’s Encrypt is:

server {
        server_name  example.com;
        listen       80;
        root         /var/www/example-com;

        # Configuration
        # ...

        # Let's Encrypt
        location /letsencrypt/ {
                alias /var/www/example-com/letsencrypt/;
        }
        location /.well-known/ {
                alias /var/www/example-com/letsencrypt/.well-known/;
        }
}

Note: After having got your certificate, comment that section out.

Get a certificate

_$: sudo letsencrypt certonly --webroot -w /var/www/example/letsencrypt -d example.com

During the installation wizard you will have to enter an email address:

Enter email address (used for urgent notices and lost key recovery): email@example.com

And read the terms of service:

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

When it finishes, it will place your certificate at /etc/letsencrypt/live/example.com/fullchain.pem

Check

You can check the certificate you just created with the following command:

_$: openssl x509 -text -noout -in /etc/letsencrypt/live/example.com/fullchain.pem

Renew a certificate

You can test automatic renewal for your certificates by running this command:

_$: sudo letsencrypt renew --dry-run --agree-tos

If that goes well, create a cron task to run twice a day the following command:

letsencrypt renew

Use your shiny new certificate

Create some links to make it easier for nginx to be configured:

_$: cd /etc/nginx
_$: mkdir ssl
_$: ln -s /etc/letsencrypt/live/example.com/privkey.pem    ./ssl/example.key
_$: ln -s /etc/letsencrypt/live/example.com/fullchain.pem  ./ssl/example.pem
server {
        server_name  example.com;
        root         /var/www/example-com;
        listen       80;

        # Configuration
        include conf.d/example-com;
}
server {
        server_name  example.com;
        root         /var/www/example-com;

        # SSL
        listen 443 ssl;
        ssl_certificate      /etc/nginx/ssl/example.key;
        ssl_certificate_key  /etc/nginx/ssl/example.pem;

        # Configuration
        include conf.d/example-com;
}