Using Let's Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Using Let's Encrypt free SSL on Ubuntu Server and Nginx (wildcard included)

Certbot in action

Hi, I'm just moving my notes from gitbook (legacy) to I love it hear, it's markdown and it's quick. I hope you find this useful.


All you need is certbot or to be more specific on Ubuntu 18.04

This is the installation instructions

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

NOTE I didn't include python-certbot-apache because I like to do things on my own and I usually use Nginx.

For single domain

I'm assuming you are using normal config path for nginx which should be located at /etc/nginx/sites-enable

So, we will create a new file called /etc/nginx/sites-enable/letsencrypt.conf (you should create this in sites-available and symlink it to sites-enable)

Now, this should be the content of letsencrypt.conf

server {
  listen 80 default_server;
  server_name _;
  index index.html index.htm index.nginx-debian.html;
  root /var/www/html;
  location ^~ /.well-known/acme-challenge {
    allow all;
    default_type "text/plain";
  location / {
    return 301 https://$host$request_uri;

This will make sure that all request on port 80 with location /.well-known/acme-challenge is served correctly.

Any other path should be redirected to 443

Now you need to setup your dns for the domain you want. It should be A tag and point to this server. Note, you should change and x.x.x.x to your domain and server     A     x.x.x.x

It may take awhile or a second, depends on your luck. Just test this config on

Once dnschecker show the correct result you just need to run

sudo certbot certonly --webroot -w /var/www/html -d

You should get chain and keys located here


Example nginx config /etc/nginx/sites-enable/

server {
    ssl_prefer_server_ciphers on;

    # Add HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    client_max_body_size 20M;
    listen       443;
    root /home/ubuntu/your_app;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # you need to generate this if you want to use dhparam

    #prevent poodle
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;



For wildcard

You need to run this command first (don't forget to change * to your domain)

sudo certbot certonly --manual -d * --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server

You will get instructions on how to setup. It will tell you to setup txt dns record. Once you complete setup your txt dns record, you should confirm with before hitting enter.

If nothing is wrong, you should get wildcard ssl in this path if you are using *


You just have to setup nginx accordingly and it should be done.

I'm sure there are better ways than this but this is my old note. If anyone have better instructions, please let me know so I can share with other as well.