How to Set Up SSL Using Certbot and Let's Encrypt

If you have decided to add HTTPS support to your site, you should like to look at Certbot because it's an easy and fast way to accomplish everything you need.

Let's Encrypt & Certbot

Let's Encrypt is a free and automated (via the ACME protocol) certificate authority and, as you may guess, Certbot is one of many available clients for it that makes things really simple.

Install Certbot

We use CentOS 7, and Certbot has prepared instructions that you can copy & paste:

sudo yum install epel-release
sudo yum install certbot

They also have instructions for other platforms, check their main page for installation instructions if you use another OS.

Get SSL Certificates

Certbot has a plugin system. The most promising plugin is nginx, but there are some notes in the docs:

The Nginx plugin is still experimental... Nginx Web Server - currently doesn't work

I have a bunch of virtual servers and didn't want to mess everything up, so I decided to go with another plugin that suited my situation quite well - the webroot plugin.

The webroot Plugin

The principle of this plugin is quite simple: you point it to your web server's root directory, it creates the .well-known directory and puts an ACME challenge there. Then, the Let's Encrypt client checks it and this way you confirm that the specified domain is yours. You can get more information about the verification process at Let's Encrypt.

The main benefit of this approach is that you won't need to stop your web server at all. It's also possible to obtain one certificate for many domains at once (so called SAN certificates). Here is how you can achieve this: 

certbot certonly --webroot -w /var/www/4devs/ -d -w /var/www/4devs/ -d -d

Here we have the following parts:

certonly - with this command Certbot will only obtain certificates and won't modify your web server's configuration, and won't automatically install them;

--webroot - this way we specify the plugin we want to use;

-w - a flag for a web root directory of your web server. After this flag, you just need to write a path;

-d - a flag to specify a domain. You can use many such flags after -w flags. It's possible to specify many domains (aliases) if they have the same web root directory.

All generated keys and issued certificates can be found in /etc/letsencrypt/live/$domain. If you want to get a certificate for multiple domains at once, then you will have only one certificate named by the first mentioned domain. For our example above, we will have to look at /etc/letsencrypt/live/

Configure Nginx

Now you need to update your virtual server's configuration:

server {
    listen 443 ssl http2;
    ssl_certificate <PATH TO A fullchain.pem FILE>;
    ssl_certificate_key <PATH TO A privkey.pem>;

Don't forget to reload nginx via:

sudo nginx -s reload

Caveats and Limits

There are some limits that Let's Encrypt has and you should be aware of. The most important one is that Let's Encrypt certificates last for 90 days. You don't want to forget to renew your certificates, do you? This can be easily automated.

Automated Certificate Renewal

We'll solve this by using crontab, but, first of all, I recommend you run this command under the user you will configure crontab for and check the output to see if everything is OK.

certbot renew --dry-run

There may be some problems with permissions. If everything is OK, then call crontab -e and set up a crontab task in it:

# Renew SSL certificates using certbot / let's encrypt (twice/day)
X */12 * * * certbot renew —quiet

Note: replace X with a value from 0 to 59.

It's recommended to run this command more frequently than once per 3 months. The task above will be executed twice per day. To understand crontab better, use Crontab Guru suggested by @bfredit. If your certificates are fresh, this command won't do anything.


It took me 5 minutes to configure everything and enjoy the process, so I recommend you try this approach.