How to set up Let’s Encrypt on Ubuntu

At first, it is necessary to add the certbot repository and to install the letsencrypt packet from one:

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt upgrade
sudo apt install letsencrypt

It is possible to edit command which will be excecuted every time after certificates had updated. Here:

sudo mcedit /etc/letsencrypt/cli.ini

Change post-hook to that you need:

post-hook = service nginx reload

To the next, you need to register Let’s Encrypt account:

certbot register --email

Create .well-known directory in public root directory of your website. Let’s Encrypt will save temporary necessary data in directory stated above:

mkdir -p /var/www/your_web_site/public/.well-known

Check whether this catalog works:

echo '1234' > /var/www/your_web_site.localhost/public/.well-known/test.txt

Open http ://your_web_site.localhost/.well-known/test.txt in your browser, then:

rm /var/www/your_web_site.localhost/public/.well-known/test.txt

Directory .well-known has to be clean before you goint to the next step!

So, let’s try to create temporary SSL cerificate for testing.

letsencrypt certonly --dry-run -d your_web_site.localhost -d www.your_web_site.localhost

When it asks «webroot», enter:


If check is complete well then create the really SSL certificate:

letsencrypt certonly -d your_web_site.localhost -d www.your_web_site.localhost

Check whether new SSL cerificate really works:

openssl x509 -text -in /etc/letsencrypt/live/your_web_site.localhost/cert.pem

Now, it necessary to configuring web server.

Configuring webserver


Add next lines to your host configuration section:

ssl_certificate /etc/letsencrypt/live/your_web_site.localhost/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_web_site.localhost/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your_web_site.localhost/chain.pem;
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4;

For fix OCSP stapling use next command:

tee /etc/nginx/conf.d/ssl_stapling.conf <<EOF
ssl_stapling on;
ssl_stapling_verify on;

BUT If you don’t have a local DNS cache server then use this:

nameserver=$(grep nameserver /etc/resolv.conf | head -1 | cut -f2 -d" ")
sed -i s/$nameserver/ /etc/nginx/conf.d/ssl_stapling.conf
grep resolver /etc/nginx/conf.d/ssl_stapling.conf


Example of host:

# Notice port of SSL host
<VirtualHost *:443>

    # <!-- SSL certificate
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/your_web_site.localhost/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_web_site.localhost/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/your_web_site.localhost/chain.pem
    # -->

    ServerAdmin admin@localhost
    ServerName your_web_site.localhost
    DocumentRoot /var/www/your_web_site.localhost/
    <Directory /var/www/your_web_site.localhost/>
        Options Indexes FollowSymLinks
        php_admin_value open_basedir /var/www/your_web_site.localhost/
        AllowOverride All
        Require all granted
    ErrorLog /var/www/logs/your_web_site.localhost-error.log
    LogLevel warn
    CustomLog /var/www/logs/your_web_site.localhost-access.log combined

Finally, check how Let’s Encrypt updates cerificates:

certbot -q renew
 204   2019