The following is an example setup process for NGINX, please adapt it to your exact needs.


To follow this guide, your server needs to have the following dependencies installed:


This guide assumes two things:

  1. That you are using Ubuntu Linux 18.04. If you are not using Ubuntu 18.04, please adjust the instructions to suit your distribution or operating system.

  2. That the nginx server configuration file is stored under /etc/nginx/sites-available/ and is enabled. Not all distributions use this location, however. Please refer to your distribution’s Nginx documentation, to know where to store yours.

Create and Configure a Diffie-Hellman Params File

When using OpenSSL 1.0.2 or later you can generate and specify a Diffie-Hellman (DH) params file. If not already present, add an ssl_dhparam directive and a new certificate with stronger keys for Diffie-Hellman based key exchange, which improves forward secrecy.

The OpenSSL command may take a quite a while to complete, so please be patient.

You can place the certificate into any directory you choose. However, in this guide we recommend /etc/nginx/, solely for the sake of simplicity.

sudo openssl dhparam -out /etc/nginx/dh4096.pem 4096

Add the following directive to your common SSL configuration:

ssl_dhparam /etc/nginx/dh4096.pem;

Let’s Encrypt ACME-Challenge

Add the /.well-known/acme-challenge location in your server directive for port 80

server {
  listen 80 ;
  server_name mydom.tld;

  location /.well-known/acme-challenge {
      default_type "text/plain";
      root /var/www/letsencrypt;
  # ...

Create an SSL Server Configuration

We recommend creating a separate file for storing the SSL directives. If these directives already exist in this server block, delete them and include the file instead. When the certificate has been created, you can use this file in any SSL server block for which the certificate is valid without reissuing.

cd /etc/nginx/
sudo mkdir ssl_rules

Create a file named ssl_mydom.tld in the newly created directory.

# SSL rules for mydom.tld
# eases letsencrypt initial cert issuing

ssl on;

ssl_certificate         /etc/letsencrypt/live/mydom.tld/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/mydom.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydom.tld/cert.pem;

To improve SSL performance, we recommend that you use following directives. Here’s an example configuration:

ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 5m;

Then adopt your server block:

server {
  listen 443 ssl http2;
  server_name mydom.tld;

  # ssl letsencrypt
  # include /etc/nginx/ssl_rules/ssl_mydom.tld;

For the moment, comment out the Include directive, as the certificate files do not, currently, exist.

Test and enable your NGINX configuration

To test your configuration run

sudo nginx -t

It should reply without errors.

Load your new NGINX configuration:

sudo service nginx reload

Create the SSL Certificates

Check that you have commented out the include directive as stated above and run the following command:

sudo /etc/letsencrypt/<your-domain-name>.sh

If successful, you will see output similar to that below, when the command completes:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydom.tld
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: service nginx reload

 1. Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2018-06-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
 2. Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
 3. If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt:
    Donating to EFF:          

To double check the issued certificate, run the script as follows.

sudo /etc/letsencrypt/

If successful, you should see output similar to the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: mydom.tld
    Domains: mydom.tld
    Expiry Date: 2018-06-18 13:20:34+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mydom.tld/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mydom.tld/privkey.pem

As the SSL certificate has been successfully issued by Let’s Encrypt, you can un-comment the include directive for your domain’s SSL rules, in the server block configuration.

server {
  listen 443 ssl http2 ;
  server_name mydom.tld;

  # ssl letsencrypt
  include /etc/nginx/ssl_rules/ssl_mydom.tld;


Reload the NGINX configuration

sudo service nginx reload

Your web server is now ready to serve https request for the given domain using the issued certificates.