Step 1 — Installing Certbot
sudo apt-get install certbot python3-certbot-nginx
Step 2 — Obtaining an SSL Certificate
sudo certbot --nginx -d example.com -d www.example.com
Step 3 — Updating Diffie-Hellman (Optional)
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
(more secure but takes a bit longer)
editor /etc/nginx/sites-available/default
replace /etc/letsencrypt/ssl-dhparams.pem with your generated /etc/ssl/certs/dhparam.pem
Step 4 — Remove unsecure ciphers and protocols (Optional)
editor /etc/letsencrypt/options-ssl-nginx.conf
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;
sudo nginx -t
sudo service nginx reload
Step 5 — Setting Up Auto Renewal
echo '@monthly root certbot renew --nginx --quiet -d example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab