Prerequisites
Ensure your Debian system has LNMP (Linux + Nginx + MySQL + PHP) installed and running. If not, deploy LNMP using the official guide or package manager (e.g., sudo apt install nginx mysql-server php-fpm). Verify Nginx is active with sudo systemctl status nginx and MySQL is running with sudo systemctl status mysql. Confirm your domain (e.g., example.com) resolves to your server’s public IP via DNS settings.
Step 1: Install Certbot and Nginx Plugin
Certbot is Let’s Encrypt’s official client for automated certificate management. Install it along with the Nginx plugin to simplify integration:
sudo apt update
sudo apt install certbot python3-certbot-nginx
This installs Certbot and the necessary tools to configure Nginx automatically.
Step 2: Obtain and Configure SSL Certificate
Run Certbot with the --nginx flag to handle certificate issuance and Nginx configuration:
sudo certbot --nginx -d example.com -d www.example.com
Replace example.com and www.example.com with your actual domain(s). Certbot will prompt you for:
Certbot completes these actions:
/etc/letsencrypt/live/example.com/ (includes fullchain.pem for public keys and privkey.pem for private keys).Step 3: Verify Nginx Configuration
Before reloading Nginx, check for syntax errors to avoid downtime:
sudo nginx -t
If the output shows syntax is ok and test is successful, proceed. If errors occur, review the Nginx error log (/var/log/nginx/error.log) and fix issues (e.g., typos in certificate paths).
Step 4: Restart Nginx to Apply Changes
Reload Nginx to activate the new HTTPS configuration without dropping existing connections:
sudo systemctl reload nginx
Alternatively, use sudo systemctl restart nginx to fully restart the service (may briefly interrupt traffic).
Step 5: Test HTTPS Access
Open a browser and navigate to https://example.com. You should see a padlock icon in the address bar, indicating a valid HTTPS connection. Use online tools like SSL Labs’ SSL Test to verify certificate details (e.g., expiration date, encryption protocols).
Step 6: Set Up Automatic Renewal
Let’s Encrypt certificates are valid for 90 days. Certbot automatically creates a cron job or systemd timer to renew certificates before expiration. To test the renewal process (without actually renewing), run:
sudo certbot renew --dry-run
If the test succeeds, Certbot will handle future renewals automatically. No manual intervention is required unless the test fails (e.g., due to DNS changes or network issues).
Optional: Manual Nginx SSL Configuration
If you prefer customizing SSL settings (e.g., enabling HTTP/2, adjusting cipher suites), edit your Nginx site configuration (typically at /etc/nginx/sites-available/example.com). Replace the default HTTPS block with this optimized template:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri; # Force HTTP to HTTPS
}
server {
listen 443 ssl http2; # Enable HTTP/2 for better performance
server_name example.com www.example.com;
# SSL Certificate Paths
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Optimized SSL Settings (from Let's Encrypt)
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Website Root and PHP Handling
root /var/www/example.com;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404; # Handle static files
}
location ~ \.php$ {
include snippets/fastcgi-php.conf; # PHP-FPM integration
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # Adjust PHP version if needed
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Security: Deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
After editing, test the configuration (sudo nginx -t) and reload Nginx (sudo systemctl reload nginx).
Troubleshooting Tips
sudo ufw allow 'Nginx Full')./var/log/nginx/error.log) for details and fix typos in the configuration file.sudo certbot renew --dry-run to diagnose issues. Common causes include expired domains or changed DNS records.