You can use CertBot to get instructions on how to use Let’s Encrypt automatically. Here’s my implementation:
1.) enable jessie-backports and make sure your domain is pointing at your webserver. Then:
# apt-get install certbot -t jessie-backports
# certbot certonly --standalone -d exampledoma.in -d www.exampledoma.in --pre-hook "service nginx stop" --post-hook "service nginx start"
4.) You should now have the necessary files in
/etc/letsencrypt/live/ in a folder named after your domain. Add them to the appropriate nginx config thus:
listen 443 ssl;
(note: I don’t cover dhparams or cipher order in this post.)
Let’s Encrypt certificates are valid for 90 days, so the last step is to automate renewals. In root’s crontab I use the following for quiet monthly renewal attempts, noting that if nothing is due for renewal, no action is taken:
@monthly certbot renew -q --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"
There are other ways to do this; while certbot has a renewal cron in /etc/cron.d/certbot, Certbot’s own advanced setup documentation illustrates how to use the ‘webroot’ plugin which will work with any webserver you like, but since I don’t mind stopping my webserver once a month for this quick check, I simply use the ‘standalone’ plugin instead.