Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

I'm using on
No javascript? See all setup instructions here. Read the full documentation here.

Nginx on Debian 9 (stretch)

Automated
Advanced

Install

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

First you'll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so. Then run:

$ sudo apt-get install certbot python-certbot-nginx -t stretch-backports

Installing DNS plugins

Certbot's DNS plugins are available for your system. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace certbot python-certbot-nginx with python3-certbot-dns-PLUGIN, where PLUGIN is the name of the plugin you want to install. For instance, for the RFC2136 plugin this would be python3-certbot-dns-rfc2136.

Get Started

Certbot has an Nginx plugin, which is supported on many platforms, and automates certificate installation.

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:

$ sudo certbot --nginx certonly

If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2 server, you'll also need to use one of Certbot's DNS plugins. To do this, make sure the plugin for your DNS provider is installed using the instructions above and run a command like the following:

$ sudo certbot -a dns-plugin -i nginx -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory

You'll need to replace dns-plugin with the name of the DNS plugin you want to use. For instance, to use the Cloudflare plugin, you would use dns-cloudflare. You may also need to provide additional flags such as the path to your API credentials. To learn more about how to use these plugins, see the documentation for the DNS plugin you are trying to use found in the link above.

To learn more about how to use Certbot read our documentation.

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

More detailed information and options about renewal can be found in the full documentation.

Install

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

First you'll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so. Then run:

$ sudo apt-get install certbot python-certbot-nginx -t stretch-backports

Installing DNS plugins

Certbot's DNS plugins are available for your system. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace certbot python-certbot-nginx with python3-certbot-dns-PLUGIN, where PLUGIN is the name of the plugin you want to install. For instance, for the RFC2136 plugin this would be python3-certbot-dns-rfc2136.

Get Started

Certbot has an Nginx plugin, which is supported on many platforms, and automates certificate installation.

$ sudo certbot --nginx

Running this command will get a certificate for you and have Certbot edit your Nginx configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, you can use the certonly subcommand:

$ sudo certbot --nginx certonly

If you want to obtain a wildcard certificate using Let's Encrypt's new ACMEv2 server, you'll also need to use one of Certbot's DNS plugins. To do this, make sure the plugin for your DNS provider is installed using the instructions above and run a command like the following:

$ sudo certbot -a dns-plugin -i nginx -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory

You'll need to replace dns-plugin with the name of the DNS plugin you want to use. For instance, to use the Cloudflare plugin, you would use dns-cloudflare. You may also need to provide additional flags such as the path to your API credentials. To learn more about how to use these plugins, see the documentation for the DNS plugin you are trying to use found in the link above.

To learn more about how to use Certbot read our documentation.

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

More detailed information and options about renewal can be found in the full documentation.