Secure http traffic with Let’s Encrypt on Debian

Configuring HTTPS on debian with Nginx and Let’s Encrypt is now really easy.

Let’s install required software :

sudo apt-get install certbot python-certbot-nginx

Then start the configuration process :

sudo certbot --nginx

And follow the steps :

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
1: sub.mydomain.tld
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

Please read the Terms of Service at You must agree
in order to register with the ACME server at
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.tld
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0000_key.pem
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0001_key.pem
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/mydomain.tld for set(['sub.mydomain.tld'])

Please choose whether HTTPS access is required or optional.
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
The appropriate server block is already redirecting traffic. To enable redirect anyway, uncomment the redirect lines in /etc/nginx/sites-enabled/mydomain.tld.

Congratulations! You have successfully enabled https://sub.domain.tld

You should test your configuration at:

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/sub.mydomain.tld/fullchain.pem. Your cert
will expire on 2017-12-17. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you lose your account credentials, you can recover through
e-mails sent to myemail@mydomain.tld.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

If your want to redirect all HTTP traffic to HTTPS, uncomment the following line from your server configuration :

#Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

Leave a Reply

Your email address will not be published. Required fields are marked *