Skip to content

NGINX Let’s Encrypt Certbot Manual Installation

If you’re trying to update an outdated SSL certificate or even if you’re installing one for the first time and you don’t trust Certbot to modify your NGINX config for you then this article is for you.

Install Certbot

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Download Certificate

The downloaded certificates and all other Let’s Encrypt/Certbot files will be written to /etc/letsencrypt

# The "certonly" flag is important it tells Certbot to only download the certificates
# and not to install them automatically by modifying your NGINX config

sudo certbot --nginx certonly

You will receive the message below after successfully running certbot

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

Manually Install Certificate

This was my old config with the outdated certificate.

server {
  listen 80;
  server_name canbyedfoundation.org www.canbyedfoundation.org;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name canbyedfoundation.org www.canbyedfoundation.org;

  ssl on;
  ssl_certificate /etc/nginx/ssl/canbyedfoundation_org-bundle.crt;
  ssl_certificate_key /etc/nginx/ssl/canbyedfoundation.org.key;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8000;
    proxy_redirect off;
  }
}

To update the config I simply had to change the path to ssl_certificate and ssl_certificate_key

server {
  listen 80;
  server_name canbyedfoundation.org www.canbyedfoundation.org;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name canbyedfoundation.org www.canbyedfoundation.org;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/canbyedfoundation.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/canbyedfoundation.org/privkey.pem;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://127.0.0.1:8000;
    proxy_redirect off;
  }
}

Verify Config File & Restart NGINX

sudo nginx -t && sudo nginx -s reload