Comments on Install Let's Encrypt and Secure Nginx with SSL/TLS in Debian 9

Don't forget to enable HTTP/2 by enabling http2 in the listen directive. Also think about HSTS and HPKP. And, test your site through https://en.internet.nl for a 100% score, to see if you've done everything right.

and how about subdomains?

For subdomain's it's the same procedure. Just use sub.domain.tld instead of domain.tld.

thank you sir. how long the ssl must be renewed again?

When trying to get certification for CHIP (very similar in specs than Raspberry Pi) running Debian Stretch,  I just got message:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

So seems like the first command sudo certbot certonly --standalone –d yourdomain.com –d www.yourdomain.com isn't quite right. the other method:

sudo certbot certonly --webroot –w /var/www/html/ -d yourdomain.com –d www.yourdomain.com

With webrot of folder where ghost is installed, gives:

usage: 

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

So again same thing. Don't know whatr is causing this. If I try with ghost setup ssl I got output: A SystemError occurred. Usyally this seems to be timeout issue.

And right after my post I tried again and got:

-------------------------------------------------------------------------------

The program nginx (process ID 1897) is already listening on TCP port 80. This

will prevent us from binding to that port. Please stop the nginx program

temporarily and then try again.

-------------------------------------------------------------------------------

Press Enter to Continue

And I did include that --standalone option.

And finally.

If I try first sudo service nginx stop and re run command sudo certbot certonly --standalone -d mydomain.com (I use just one domain and redirect www.mydomain.com to mydomain.com at domain settings) I finally get this error:

IMPORTANT NOTES:

 - The following errors were reported by the server:

   Domain: mydomain.com

   Type:   connection

   Detail: Fetching

   http://mydomain.com/.well-known/acme-challenge/56d08V1kX0zoEoLl4najN_0htGlYuvqJSzo36XLjgug:

   Timeout

   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

Can you help me forward?

Thanks for this very helpful guide. Just some notes:

* fullchain.pem must be used instead of cert.pem to have a complete certificate chain. This is recommended in Let's Encrypt documentation as well.

* just copy-pasting the commands does not work, because the blog uses different character for dash '-' vhich is visually indentical with regualr dash. Hence, command line arguments get rejected. If you could fix the dash in the commands that would be very helpful.

Hello,

Thanks for the nice tutorial which got my 1st SSL-enabled site up in a flash.

That was about a month ago and I realized I needed to double back and set up LetsEncrypt auto-renewal.

Have a quick question.

The location of letsencrypt.log on Debiar 9.4 after running certbot appears to be at:

/var/log/letsencrypt/letsencrypt.log

rather than:

/var/log/letsencrypt.log

Your chronjob was:

Was that a typo which should have been0 2 * * * certbot renew >> /var/log/letsencrypt/letsencrypt.log .......or is/was there a reason for having another letsencrypt.log file in the /var/log directory?