Let's see how to install, setup, and configure LetsEncrypt (certbot) with Nginx to get an SSL certificate in something like 30 seconds.

This will help you get and configure an TSL certificate that auto-renews itself via LetsEncrypt - you never have to think about it again!

When you install certbot, it will add a systemd timer. This timer periodically checks if the certificate needs renewing, and if so, does it! Configuration in /etc/letsencrypt keeps information about the certificates installed on the server, including post-renewal hooks (like running "service nginx reload").

In our case, we'll use certbot one-line command to obtain the certificate. We'll make sure Nginx is configured to allow requests to a .well-known directory. Finally we see how Nginx should be configured to use the generated TLS certificates (thanks to H5BP Nginx server configs for making it so easy).

Here's some resources:

• LetsEncrypt https://letsencrypt.org/
• Certbot https://certbot.eff.org/
• H5BP Nginx: https://github.com/h5bp/server-configs-nginx
• Video on setting up H5BP with Nginx: https://www.youtube.com/watch?v=d6kfuPo3Cnw&ab_channel=ChrisFidao

The Setup

We can install and configure Certbot pretty easy:

# Install certbot on Ubuntu as per 
# https://certbot.eff.org/instructions?ws=nginx&os=snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Then, assuming Nginx is up and running with a site on port 80, and nothing is blocking the /path/to/web-root/.well-known directory from serving files:

# Optionally add --force-renewal if
# a current certificate is generated and
# you want to over-write it
sudo certbot certonly --webroot \
    -w /var/www/app/public \
    -d someapp.xyz \
    -d www.someapp.xyz \
    --post-hook "service nginx reload" \
    --non-interactive \
    --agree-tos \
    --email your-email-here

Then you can configure Nginx to use the new TLS certificate! See the video above to a few details on that.