SSL — Let's Encrypt & Certbot

Let's Encrypt is a free, automated certificate authority. Certbot is their official tool to request and renew SSL certificates automatically.

Installation

sudo apt install certbot python3-certbot-nginx

python3-certbot-nginx is the Nginx plugin — it handles editing your Nginx config automatically.

Request a Certificate

sudo certbot --nginx -d yourdomain.com

Certbot places a temporary file on your server, then Let's Encrypt tries to fetch it via your domain name. If it succeeds (meaning your domain points to your server), the certificate is issued and installed automatically.

What Certbot Adds to Your Nginx Config

Certbot edits your site's config file to add HTTPS support:

server {
    server_name docs.lucasgoi.fr;

    location / {
        root  /var/www/docs.lucasgoi.fr/site;
        index index.html;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate     /etc/letsencrypt/live/docs.lucasgoi.fr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docs.lucasgoi.fr/privkey.pem; # managed by Certbot
    include             /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# Redirect HTTP → HTTPS (generated by Certbot)
server {
    listen 80;
    server_name docs.lucasgoi.fr;

    if ($host = docs.lucasgoi.fr) {
        return 301 https://$host$request_uri;
    }

    return 404;
}

Renewal

Certbot installs a systemd timer that auto-renews certificates before they expire (every 90 days). Check its status:

sudo systemctl status certbot.timer

Test renewal manually (dry run, no changes):

sudo certbot renew --dry-run

Then reload Nginx to apply:

sudo systemctl reload nginx