Replace paid SSL cert with LE + autorenewal on Nginx Ubuntu 14.04

How to install LE SSL on a server running Nginx on Ubuntu 14.04 that already got a SSL cert setup.
Remember to replace with your own domain through the tutorial.
SSH into server with sudo priveleges:

cd /usr/local/sbin
sudo wget
sudo chmod a+x /usr/local/sbin/certbot-auto
sudo nano /etc/nginx/sites-available/default

add this to the server block that listens to 443

        location ~ /.well-known {
                allow all;

test and restart:

sudo nginx -t
sudo service nginx restart 
sudo apt-get update
sudo apt-get upgrade
sudo certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d -d

answer the questions.
set up DH group for extra security

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

wait 1-2 minutes.
open up your nginx config again:

 sudo nano /etc/nginx/sites-available/default

then replace/comment out your old lines with:

        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

then add this for extra security utilizing the DH group we generated:

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

exit and save.

test and restart

sudo nginx -t
sudo service nginx restart

test SSL


Now lets add a cronjob for automatically update the cert:
check all is setup:

certbot-auto renew

you should get something back that “no renewals were attempted”


sudo crontab -e

choose 2 for nano (unless you prefer other)

then paste this in at the bottom of the config.

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

Ctrl + x for exit
y for save

thats it!

Add your comment