<p>
This demonstration will show how to install letsencrypt to an existing already running Nginx server by creating a new server block or virtual host, on a Debian Jessie subdomain.
</p>
<p>
Let us begin by fetching the letsencrypt client:
</p>
<p>
<pre class="brush:bash">
apt-get update
apt-get install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
</pre>
</p>

<h3>
Use Webroot plugin
</h3>
<p>
Webroot plugin serves as authenticator during the certificates request process.  You have to use the plugin since we are installing to a running server by creating a hidden directory .well-known in your existing root.  In our case our existing root is /usr/share/nginx/html.  A special file is placed in this directory by letsencrypt client during the certificate request.
</p>
<p>
<pre class="brush:bash">
cd /usr/share/nginx/html
mkdir .well-known
</pre>
</p>
<p>
Let's go back to our config and add the following to your existing default server block that listens to port 80.  Usually the file you edit is /etc/nginx/sites-enabled/default.  This may be different if you changed the default installation.
</p>
<p>
<pre class="brush:bash">
location ~ /.well-known {
    allow all;
}
</pre>
</p>
<p>
Save and exit and then reload Nginx configuration.
</p>
<p>
<pre class="brush:bash">
/etc/init.d/nginx reload
</pre>
</p>
<h3>
Request for certificate
</h3>
<p>
We now request certificates against a domain or domains.  In this demonstration we request certicate for a single domain.  We use  secure.kahimyang.info as our domain.  Replace every occurence of this domain name with your own from this point onwards.  For multiple domain requests add multiple -d &lt;domain-name&gt; in the following command. 
</p>
<p>
<pre class="brush:bash">
cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d secure.kahimyang.info
</pre>
</p>
<p>
This prompts for your email address which is used for notices, and lost key recovery.  You must also agree to the Let's Encrypt Subscribe Agreement.  If everything was successful, you should see an output message detailing your credentials, including the expiry date of your certificates which is 90 days.
</p>
<p
Your PEM-encoded files should be in /etc/letsencrypt/archive.   However, Let's Encrypt creates symbolic links to these certificate files in the /etc/letsencrypt/live/secure.kahimyang.info.  These links always point to the most recent certificate files, use them to refer to your certificate files.
</p>
<p>
Here are those files pointed to by the symbolic links:
</p>

<ul>
<li>
cert.pem -  Domain's certificate
</li>
<li>
chain.pem - letsncrypt chain certificate
</li>
<li>
fullchain.pem -  cert.pem and chain.pem combined
</li>
<li>
privkey.pem -  Your certificate's private key
</li>
</ul>

<h3>
Generate Strong Diffie-Hellman Group
</h3>
<p>
To further increase security, generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
</p>
<p>
<pre class="brush:bash">
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
</pre>
</p>
<p>
This takes few minutes but when it's done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.
</p>

<h3>
Configure TLS/SSL on your server block
</h3>

<p>
<ins class="adsbygoogle"
     style="display:block; text-align:center;"
     data-ad-layout="in-article"
     data-ad-format="fluid"
     data-ad-client="ca-pub-1532779215895298"
     data-ad-slot="4831933865"></ins>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({});
</script>
</p>
<p>
Locate your Nginx config sites-enabled directory and create your HTTPS server block which listens to port 443.  The root of our secure site is  /usr/share/nginx/html/secure.  Replace this with your own.
</p>
<p>
<pre class="brush:bash">
server {
      listen 443;
      server_name  secure.kahimyang.info;
      ssl on;
      ssl_certificate /etc/letsencrypt/live/secure.kahimyang.info/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/secure.kahimyang.info/privkey.pem;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_stapling on;
      ssl_stapling_verify on;
      add_header Strict-Transport-Security max-age=15768000;


      location / {
          root   /usr/share/nginx/html/secure; #replace with your own
          index  index.html index.htm;
      }
}

#Redirect back to our secure site
server {
    listen 80;
    server_name secure.kahimyang.info;
    rewrite ^(.*) https://secure.kahimyang.info$1 permanent;
}
</pre>
</p>

<p>
Restart Nginx configuration but test your configuration first and  reload if no errors.
</p>
<p>
<pre class="brush:bash">
/etc/init.d/nginx configtest 
/etc/init.d/nginx reload
</pre>
</p>

<h3>
Setup auto renewal
</h3>

<p>
Let's Encrypt certificates are valid for 90 days,  it's recommended however that you renew the certificates every 60 days to allow a margin of error.  At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let's Encrypt client with the renew option.
</p>
<p>
Use the following command to renew.  This will renew certificate for all installed domains.
</p>
<p>
<pre class="brush:bash">
/opt/letsencrypt/letsencrypt-auto renew
</pre>
</p>
<p>
To test the renewal process, use the following
</p>
<p>
<pre class="brush:bash">
/opt/letsencrypt/letsencrypt-auto renew  --dry-run
</pre>
</p>
<p>
To ensure your certificates won't get outdated is to create a cron job that will periodically execute the automatic renewal command for you. The renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration.   The cron job that followes executes every Monday at 2:45am an reloads Nginx 5 minutes later.
</p>
<p>
<pre class="brush:bash">
crontab -e
</pre>
</p>
<p>
Add the following lines
</p>
<p>
<pre class="brush:bash">
40 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
45 2 * * 1 /etc/init.d/nginx reload
</pre
</p>

<h3>
Update letsencrypt client
</h3>
<p>
Whenever new updates are available for the client, you can update your local copy by running a git pull from inside the Let's Encrypt directory:
</p>
<p>
<pre class="brush:bash">
cd /opt/letsencrypt
git pull
</pre>
</p>
<p>
That's it.  Now you can check your configuration score at the Qualys SSL labs site here <a href="https://www.ssllabs.com/ssltest/analyze.html" target="_blank" class="news_link">https://www.ssllabs.com/ssltest/analyze.html</a>.  Your score should be A+.  Good luck!
</p>


How to install letsencrypt SSL certificates for Nginx server block on Debian Jessie