Reference document:

You can configure it step by step.

  1. install certbot
    1
    2
    3
    4
    5
    6
    
    $ apt-get update
    $ apt-get install software-properties-common
    $ add-apt-repository universe
    $ add-apt-repository ppa:certbot/certbot
    $ apt-get update
    $ apt-get install certbot
    
  2. generate SSL/TLS certificate file
    1
    
    $ certbot certonly --webroot -w /var/www/html -d example.com --email [email protected]
    
  3. then you can find the file in /etc/letsencrypt/live/example.com/
  4. modify nginx config
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    
    # Session
    ssl_session_cache shared:SSL:32m;
    ssl_session_timeout 1d;
    
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;  
    
    # Forward Secrecy 
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
    
  5. then modify host config file and reload nginx
  6. now you can visit your website with https
  7. when ths certificate file is expired, you can execute certbot renew for update
  8. in addition, you can visit https://www.ssllabs.com/ssltest/ to test your website SSL/TLS config