Update August 2016: The letsencrypt client is now called certbot and is a bit easier to use. https://certbot.eff.org/
Since the letsencrypt client needs root privileges, I did all the following as root (sudo su -).
Install letsencrypt
mkdir -p /root/bin
cd /root/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
/root/bin/certbot-auto
Configure Nginx
Edit your Nginx configuration, for example /etc/nginx/sites-available/openfoodnetwork. Add the following lines to your server config:
# letsencrypt validation folder
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
If you have an SSL certificate already and there is a redirect to https in your config, place these line after the redirect end the end of the ‘server’ block.
Then reload: service nginx reload
Obtain the first certificate
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth --email admin@openfoodnetwork.example.org --text --agree-eula --agree-tos -d openfoodnetwork.example.org
Install first certificate
Edit your Nginx configuration again.
ssl_certificate /etc/letsencrypt/live/openfoodnetwork.example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openfoodnetwork.example.org/privkey.pem;
After reloading service nginx reload you should have a valid SSL setup.
Automatic renewal
Test renewal with: /root/bin/certbot-auto renew --dry-run
If that is successful, you can configure cron to check for renewals every day:
echo '#!/bin/sh
/root/bin/certbot-auto renew \
--quiet --no-self-upgrade \
--post-hook "/usr/sbin/service nginx reload"
' > /etc/cron.daily/certbot
chmod +x /etc/cron.daily/certbot
You are done.