How to use Let’s Encrypt on Nginx

What is Let’s Encrypt?

Let’s Encrypt is service to issue SSL certification for free. It is public beta(15/Feb/2016).

You can get SSL certification for free.

And you can issue SSL certification by command line tool. The certification will be expired after three month, but you can also update certification by command line.

Issue certification for first time

For the first time, you need to run following command on your web server as root.

./letsencrypt-auto certonly --webroot -w ${DOC_ROOT} -d ${SERVICE_DOMAIN}
key word description
DOC_ROOT document root path
SERVICE_DOMAIN domain name of your site

Before run this command, your site need to access from internet, because this command create server identification file temporally in DOC_ROOT and Let’s Encrypt service access that file via internet.

Nginx configuration

If there is no error, ssl certificate is created in /etc/letsencrypt/live/${SERVICE_DOMAIN}.

You set nginx configuration as follows.

server {
  listen       443 ssl;

  ssl_certificate      /etc/letsencrypt/live/${SERVICE_DOMAIN}/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/{SERVICE_DOMAIN}/privkey.pem;
  ssl_session_timeout  5m;
  ssl_protocols  SSLv3 TLSv1;
  ssl_ciphers  RC4-SHA:HIGH:!ADH;
  ssl_prefer_server_ciphers   on;
  ssl on;


After that restart nginx.

nginx -s reload

Update command

Updating certification command is as follows.

./letsencrypt-auto certonly --keep-until-expiring \
  --webroot -w ${DOC_ROOT} -d ${SERVICE_DOMAIN}

After that restart renew SSL certification.

nginx -s reload

Update script

For updating automatically, you run following shell script every day.



date +'%Y.%m.%d %H:%M:%S' >> $LOG

echo renew $2 >> $LOG
if ! ${LETSENCRYPT} renew >> $LOG 2>&1 ; then
  echo Automated renewal failed:
  cat $LOG
  exit 1

/usr/local/nginx/sbin/nginx -s reload