How to Save Hundreds of Dollars a Year on Your SSL


It has been around for a while now but I finally got around to installing my first 100% free SSL certificate for one of our projects ( – for now I only put the app and the API behind ssl not yet front page as nothing is there yet πŸ™‚ ).

Normally SSL certificates can run anywhere from a few hundred to over a thousand dollar a year for 1 website….

So being able to install one for free is very nice :)! The good thing is that these SSL certificates are supported by pretty much all major devices so compatibility isn’t a issue.

Ok so I created a SOP document for our other servers (for Debian 8 with Nginx) here it is for you to copy / follow for yourself:

Debian Knowledge needed:
Last modified: 4 June 2016 – Steven van der Peijl

This SOP is to install LetsEncrypt SSL certificates on our standard VPS webservers:
Debian 8 with Nginx

Resource URLS:

Always first run:
apt-get update
apt-get upgrade

Running Debian 7? Then I recommended to upgrade to Debian 8 πŸ™‚ .

  1. Install CertBot from LetsEncrypt
    For debian 7:
    $: cd path/to/certbotinstall
    $: wget
    $: chmod a+x certbot-auto
    $: ./certbot-auto

    For debian 8:
    Open "/etc/apt/sources.list.d/"
    add "deb jessie-backports main" (no quotes)
    Save file
    $: apt-get update
    $: apt-get install certbot -t jessie-backports
  2. Make "/.well-known/acme-challenge" Available
    via public URL e.g.

    Add this block to appropriate nginx server{} block:
    location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";

    Test by creating a file ping.text in the /.well-known/acme-challenge folder and access it via url like:
  3. Create Cert(s)
    Debian 7:
    $: cd path/to/cerbotinstall
    $: certbot-auto --webroot -w /var/www/publicdir –d -w /var/www/publicdir/bus -d

    Debian 8:
    $: certbot certonly --webroot -w /var/www/ -d -w /var/www/ -d

    *LetsEncrypt does not work with wildcard SSL like * You could make it work with scripts to create certs on the fly but that’s not recommended (also due limitations in number of certs you can generate)

    **Note that in the example the cert is good for 2 subdomains, it only creates 1 certificate. You can add more or less or even create separate ones if really needed.
  4. Check
    Check if certificates are generated (.pem in /etc/letsencrypt/live)
  5. Create strong DH group:
    $: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    If not already exists (so check path if file is already there)
  6. Create nginx conf snippets:
    Create file: /etc/nginx/snippets/ (where is url)

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;<

    and: /etc/nginx/snippets/ssl-params.conf with:
    # from
    # and

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
  7. Now change Nginx server blocks for the site
    The redirect:

    server {
    listen serverIP:80;
    #listen [fe80::d800:9ff:fe40:7eb4]:80 ipv6only=on;
    return 301 https://$server_name$request_uri;

    And the ssl block:

    server {
    #listen serverIP:80;
    listen serverIP:443 ssl http2;
    #listen [fe80::d800:9ff:fe40:7eb4]:443 ssl http2 ipv6only=on;
    include snippets/;
    include snippets/ssl-params.conf;

    root /var/www/;

    Important note: you need at least Nginx 1.95 installed for this. So upgrade it if it is older. If you can't upgrade remove the http2 part.

    Note 2: upgrading Nginx to 1.95 might give some trouble with GeoIP module you will need to:
    - uncomment all references to GeoIP from nginx.conf
    - then fix by re-running apt-get or using "apt-get –f install"
    - add the line "load_module modules/;" to nginx.conf (on top outside any blocks)
    - restart nginx
    - re-enable GeoIP references in config files and fastcgi_params
    - restart nginx
  8. Enable cert auto-renew
    $: crontab –e
    30 2 * * 1 certbot renew –quiet
    35 2 * * 1 /etc/init.d/nginx restart

    This will check for renewal every Monday at 2:30am and will renew when its 60+ days or older. Then 5 minutes later it will restart Nginx to reload the cert files.
  9. Test

    Do run an upgrade to test:
    $: certbot renew

    It should say success and that none of your certs need updating.