Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX

Editor – The blog post detailing the original procedure for using Let’s Encrypt with NGINX (from February 2016) redirects here. The instructions in that publication are deprecated.

This release has been updated to remove the dependency on certbot-auto, which the Electronic Frontier Federation (EFF) discontinued in Certbot 1.10.0 for Debian and Ubuntu and in Certbot 1.11.0 for all other operating systems. For additional details and alternative installation methods, see this EFF publication.

Also see our 2015 nginx.conf blog post, in which Peter Eckersley and Yan Zhu of the Electronic Frontier Foundation introduce the then-new Let’s Encrypt certificate authority.

It is well known that your website’s SSL/TLS encryption leads to higher search rankings and better security for your users. However, there are a number of barriers that have prevented website owners from adopting SSL.

Two of the biggest barriers have been the cost and manual processes involved in obtaining a certificate. But now, with Let’s Encrypt, they are no longer a concern. Let’s Encrypt makes SSL/TLS encryption freely available to everyone.

Let’s Encrypt is a free, automated, and open certificate authority (CA). Yes, that’s right: free SSL/TLS certificates. Most browsers today rely on certificates issued by Let’s Encrypt, including older browsers such as Internet Explorer on Windows XP SP3. In addition, Let’s Encrypt fully automates both certificate issuance and renewal.

In this blog post, we cover how to use the Let’s Encrypt client to generate certificates and how to automatically configure NGINX Open Source and NGINX Plus to use them.

How Let’s Works


Before issuing a certificate, Let’s Encrypt validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that your domain’s DNS record resolves to the server running the Let’s Encrypt client.


you start with Let’s Encrypt, you should:

Have NGINX or

  • NGINX Plus installed
  • .

  • Own or control the domain name registered for the certificate. If you don’t have a registered domain name, you can use a domain name registrar, such as GoDaddy or dnsexit.
  • Create a DNS record that associates your domain name and the public IP address of your server.

Now you can easily configure Let’s Encrypt with NGINX Open Source or NGINX Plus (for ease of reading, from now on we will refer simply to NGINX


Note: We tested the procedure described in this blog post about Ubuntu 16.04 (Xenial).

1. Download

the Let’s Encrypt client First,

download the Let’s Encrypt client,


As mentioned above, we tested the instructions on Ubuntu 16.04, and here are the appropriate commands on that platform

: $ apt-get update $ sudo apt-get install certbot $ apt-get install python-certbot-nginx

With Ubuntu 18.04 and later, replace Python version 3:

$ apt-get update $ sudo apt-get install certbot $ apt-get install python3-certbot-nginx

2. Configure


certbot can automatically configure NGINX for SSL/TLS. Finds and modifies the server block in your NGINX configuration that contains a server_name policy with the domain name for which you are requesting a certificate. In our example, the domain is www.example.com.

  1. Assuming you are starting with a new installation of NGINX, use a text editor to create a file in the /etc/nginx/conf.d directory named domain-name.conf (for example, www.example.com.conf).

  2. Specify your domain name (and variants, if any) with the server_name

    : server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name example.com www.example.com; }

  3. Save the file, then run this command to check the syntax of your configuration and restart NGINX:

    $ nginx –t && nginx -s reload

3. Get the SSL/TLS certificate

The NGINX plugin for certbot takes care of reconfiguring NGINX and

reloading its configuration when necessary.

  1. Run the following command to generate certificates with the NGINX plugin:

    $ sudo certbot –nginx -d example.com -d www.example.com

  2. Respond to certbot requests to configure your HTTPS settings, which involves entering your email address and agreeing to Let’s Encrypt’s terms of service.

When the certificate generation is complete

, NGINX is reloaded with the new configuration. certbot generates a message indicating that the certificate generation was successful and specifying the location of the certificate on the server.

Congratulations! You have successfully enabled https://example.com and https://www.example.com – IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved in: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com//privkey.pem Your certificate will expire on 2017-12-12.

Note: Let’s Encrypt certificates expire after 90 days (on 2017-12-12 in the example). For information about automatic certificate change, see Let’s Encrypt Certificate Auto-Renewal below.

If you look at domain-name.conf, you will see that certbot has modified it

: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name example.com www.example.com; listen 443 ssl; # managed by Certbot # RSA certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # Redirect non-https traffic to https if ($scheme != “https”) { return 301 https://$host$request_uri; } # managed by Certbot }

4. Auto-renew Let’s Encrypt certificates Let’s Encrypt certificates

expire after 90 days. We recommend that you renew your certificates automatically. Here we add a cron job to an existing crontab file to do this.

Open the crontab file.

  1. $



  2. Add the certbot command to run daily. In this example, we run the command every day at noon. The command checks whether the certificate on the server will expire in the next 30 days and renews it if it does. The -quiet directive tells certbot not to generate output.

    0 12 * * * /usr/bin/certbot renew -quiet

  3. Save and close the file. All installed certificates will be renewed and reloaded automatically.


We have installed the Let’s Encrypt agent to generate SSL/TLS certificates for a registered domain name. We have configured NGINX to use certificates and configure automatic certificate renewals. With Let’s Encrypt certificates for NGINX and NGINX Plus, you can have a simple, secure website up and running in minutes.

To try Let’s Encrypt with NGINX Plus for yourself, start your 30-day free trial today or contact us to discuss your use cases.

Related documentation

Securing HTTP traffic to

upstream serversTCP traffic to upstream serversSSL Termination NGINX