Install Let’s Encrypt Free TLS/SSL Certificate with Nginx on Debian 8 Server

April 23, 2020

This guide explains how to obtain and install Let’s Encrypt free TLS/SSL certificate with Nginx server on Debian 8 server.

Install Let’s Encrypt Client on Debian 8 Server

Ubuntu 16.04 repository already have Let’s Encrypt client. The client is also available in Debian testing repository. Some of you may think, “Wow, then we can enable jessie-backports repo to install Let’s Encrypt client on Debian 8!” In fact, this is what I think when I found Let’s Encrypt client is included in Debian 9 repository.

So let’s open sources.list file with nano text editor.

sudo nano /etc/apt/sources.list

then add the following line at the end of this file.

deb http://ftp.debian.org/debian jessie-backports main

And then update local package index and install letsencrypt.

sudo apt-get update

sudo apt-get install letsencrypt -t jessie-backports

Obtain a Free TLS/SSL Certificate with Standalone Plugin

When we apply a TLS/SSL certificate from Let’s Encrypt with the standalone plugin, the letsencrypt client will temporarily start a Web server which listens on port 80. So if you installed Nginx Web server before and Nginx is running, then you need to stop it with the following command to release port 80.

sudo systemctl stop nginx

or

sudo service nginx stop

Then issue the following command to obtain a certificate.

sudo letsencrypt certonly --email <your-email-address> -d <your-domain-name>

The subcommmand certonly tells letsencrypt client to obtain a certificate, but do not install it because letsencrypt client doesn’t support auto-configuration for Nginx at time of writing.

Email address is used for urgent notices and lost key recovery. Replace <your-email-address> with your real email address. -d option is used to specify your domain name. Replace <your-domain-name> with your real domain name. You should point your domain name to the IP address of your Debian 8 server, otherwise domain validation will fail.

You will be asked to select the authentication method.  Select the second option and hit Enter.

Debian 8 Let's encrypt TLS/SSL Certificate

Within a few seconds, you should see a congrats message like below.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/your-domain-name/fullchain.pem. Your cert
   will expire on 2016-08-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF: https://eff.org/donate-le

Your certificate and chain is saved at /etc/letsencrypt/live/your-domain-name/fullchain.pem.

Install TLS/SSL Certificate with Nginx

Install Nginx with the following command if you have not already done so.

sudo apt-get install nginx

Then create server block configuration file.

sudo nano /etc/nginx/conf.d/your-domain-name.conf

Here’s a sample TLS/SSL configuration for Nginx.

server {
  listen 80;
  server_name www.yourdomain.com;
  return 301 https://www.yourdomain.com$request_uri;
}
server {
  listen 443 ssl;
  server_name www.yourdomain.com;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_certificate /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.yourdomain.com/privkey.pem;

  access_log /var/log/nginx/www.yourdomain.com.log;
  root /var/www/html;
}

Save and close the file. Restart Nginx.

sudo systemctl restart nginx

or

sudo service nginx restart

Obtain TLS/SSL Certificate with Webroot Plugin

Stopping Nginx server can lead to bad experience for your site visitors. This following steps use the Webroot plugin to obtain TLS/SSL certificate without the need to stop Nginx server.

First enter the following command.

sudo letsencrypt certonly --email <your-email-address> -d <your-domain-name>

Then select the first authentication method.

Let's encrypt webroot plugin

Next, hit Enter key to enter your Web root directory.

webroot plugin certbot

And enter your web root directory. The two common web root are /var/www/html and /usr/share/nginx/html/.

webroot authentication

In a few seconds, your certificate will be issued by Let’s Encrypt.

The above process can be automated by adding the following option.

--webroot -w /var/www/html/

--webroot tells letsencrypt client to use Webroot plugin. -w is short for --webroot-path. /var/www/html/ is a common Web root. So you can use the following one command to obtain a TLS/SSL certificate without stopping Nginx.

sudo letsencrypt certonly --email <your-email-address> -d <your-domain-name> --webroot -w /var/www/html

You may need to add the following directives in Nginx server configuration file to allow access to .well-know directory.

location ~ /.well-known {
    allow all;
}

Renew Let’s Encrypt TLS/SSL Certificate

The config directory of letsencrypt is /etc/letsencrypt under which you will find a renewal directory.  Under /etc/letsencrypt/renewal are some conf files which define how your certificate will be renewed.

Run the following command to test the renewal process on your Debian 8 server:

sudo letsencrypt renew --dry-run

You will find that lets-encrypt client uses the same plugin and options that were used at the time the certificate was originally issued. This is the default behavior.

To change the plugin or options used for renewal, you have to edit the conf files under /etc/letsencrypt/renewal.

Let’s say you used the standalone plugin to obtain certificate, but now you’d like to use Webroot plugin to renew the certificate because you don’t want to stop Nginx, then open the conf file.

sudo nano /etc/letsencrypt/renewal/your-domain-name.conf

Keep the first four lines intact, change the renewal parameters to the following.

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 2d29325aa8757ab4198e96d1c7b46eb6
webroot_path = /var/www/html,
[[webroot_map]]
your-domain-name = /var/www/html

You account number can be found at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/.

Then test renewal process again.

sudo letsencrypt renew --dry-run --webroot-path /var/www/html

You will see it’ now using the Webroot plugin to renew certificate.

To begin the real renew process, simply remove --dry-run option.

sudo letsencrypt renew --webroot-path /var/www/html

This above command will try to renew certificates that expire in less than 30 days. You can open the root user’s crontab file with the below command.

sudo crontab -e

and create a cron job.

0 5 * * * letsencrypt renew --webroot-path /var/www/html

Need help?

Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!