Installing Let’s Encrypt SSL/TLS certificate on Debian running Nginx

Using Debian Linux and Nginx web server to manage your applications and websites, now it is easy to install free SSL/TLS certificates as Let’s Encrypt enabled us to make website HTTPS enabled.

Let's Encrypt

We will be using certbot tool to get all our work easy.

1. SSH into the server and update it once.

SSH into the server running your HTTP website as a user with sudo or sudo equal privileges.

sudo apt update

2. Install snapd.

You’ll need to install snapd (snap daemon).

sudo apt install snapd

Snaps are universal packages that work across many different Linux systems, enabling secure distribution of the latest apps and utilities for cloud, servers, desktops and the internet of things.

3. Ensure that your version of snapd is up-to-date.

Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.

sudo snap install core; sudo snap refresh core

4. Install certbot.

Run this command on the command line on the machine to install certbot.

sudo snap install --classic certbot

5. Prepare the certbot command.

Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

6. Choose how you’d like to run certbot.

Either get and install your certificate.

Run this command to get a certificate and have certbot edit your nginx configuration automatically to serve it, turning on HTTPS access in a single step.

sudo certbot --nginx

Or, just get the certificates.

If you’re feeling more conservative and would like to make the changes to your nginx configuration by hand, run this command.

sudo certbot certonly --nginx

7. Test automatic renewal.

Let’s Encrypt certificates are only valid for 90 days, and you need to renew it.

The certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run

The command to renew certbot is installed in one of the following locations:

  • /etc/crontab/
  • /etc/cron.*/*
  • systemctl list-timers

8. Confirm that certbot worked.

To confirm that your site is set up properly, visit in your browser and look for the lock icon in the URL bar. You can even click on the lock and see the certification information too.

You can use this tool to cross-check that you have installed SSL/TLS certificate correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *