Graham Smith
Graham Smith
5th January 2016

Here at the Clearleft towers we use DigitalOcean and our servers run Ubuntu 14.04 and Nginx 1.8.0.

At the moment, Letsencrypt has an auto installer for Apache only. I actually have no idea what that does, as the other option is to create the certificate files and link to them in your site’s conf file manually, which is all I’ve ever done anyway. I don’t think I'd want anything doing that step for me. But, I digress.

I’m assuming that you’ve installed git and nginx, and both as packages with apt-get.

You may also need to use the sudo command if you are not logged in as root.

Install Letsencrypt

There is no letsencrypt package for Ubuntu yet, so we install via git

cd ~
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Stop nginx. I had issues when I didn’t, so I recommend it.

service nginx stop

Generate the certificates. This command skips the horrific installer interface. Add -d for each domain name the site uses. Usually it’s just the one domain name as we, by default, redirect from www to non-www anyway.

./letsencrypt-auto certonly --standalone --email admin@wherever.com -d example.com -d www.example.com

This puts the certificates, and other related files, in

/etc/letsencrypt/live/[example.com]

The two we need are fullchain.pem and privkey.pem.

In the site’s .conf file, in the server directive, add the following:

listen [::]:80;
listen 80;

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/[example.com]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[example.com]/privkey.pem;

This will allow the site to be accessed from both http and https. To make the site https only, you need a preceding server directive to redirect all domain names to https, like:

server {
    listen [::]:80;
    listen 80;

    # listen on the www and non-www host
    server_name www.[example.com] [example.com];

    # and redirect to the https host (declared below)
    return 301 https://[example.com]$request_uri;
}

Then the second server needs only:

listen [::]:443 ssl;
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/[example.com]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[example.com]/privkey.pem;

Start that server back up

service nginx start

Aaaaand done.

This was originally posted on my own site.