How to Install Let’s Encrypt on Digital Ocean

Gone are the days when we had to pay hundreds of dollar for SSL certificates. Let’s Encrypt is a service that now provides SSL certificates for free. Installing SSL certificate have many advantages like your site visitors data are safe and as we know as of 2021 most of the modern browsers have started showing green secures labels in its user interface for SSL enabled sites, some webmaster also suggests that SSL certificates are good for SEO.

DigitalOcean is not managed hosting provider which means that you will have to do most of the set-up on your own. Installing SSL certificate on DigitalOcean is really a very tedious task. Today we are going to tell you the easiest way of installing SSL certificates on your DigitalOcean server.

Installing SSL Certificate through Nginx

For this tutorial you need to make sure that your DigitalOcean server is setup using Serverpilot and is running on Ubuntu OS and Nginx server. To check whether your site is running on Nginx run the following command.

sudo nginx-sp -v

If above code returns something like nginx version: nginx/1.13.10 then congratulations as you’re running Nginx server.

  • Step 1: Login as root to your DigitalOcean droplet through SSH. If you don’t know how to do it then check out this tutorial.
  • Step 2: Run following command to download and install Lets Encrypt.

sudo git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

  • Step 3: Let’s stop Nginx server for a moment:

sudo service nginx-sp stop

  • Step 4: Obtain SSL certificate by running following command:

sudo ./letsencrypt-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com

  • After obtaining the certificate you’ll get a success message like in following screenshot:

  • Step 5: Start the Nginx server by running this command:

sudo service nginx-sp start

  • Step 6: Now we are going to make some changes to Nginx configuration file. Please make sure you follow this step carefully. Run following command to switch to directory where Serverpilot keeps Nginx Configurations.

cd /etc/nginx-sp/vhosts.d

  • Now press ls and hit enter to list all the configuration files which are there in your directory. Serverpilot creates .conf file for each app your create, for example if your serverpilot app name is devdude then your conf file should look like: devdude.conf

  • To find your serverpilot app name, login to serverpilot and then click on app from left sidebar and you will be listed with app that exists on your account.

  • Step 7: After knowing App Name run following command:

sudo nano yourappname.ssl.conf

  • Step 8: Now paste following code inside it by using right click:
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name  devdude.com www.devdude.com;


	ssl on;

	# letsencrypt certificates
	ssl_certificate      /etc/letsencrypt/live/devdude.com/fullchain.pem;
	ssl_certificate_key  /etc/letsencrypt/live/devdude.com/privkey.pem;

        #SSL Optimization
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:20m;
	ssl_session_tickets off;

        # modern configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 

        # OCSP stapling 
        ssl_stapling on; 
        ssl_stapling_verify on; 

        # verify chain of trust of OCSP response 
        ssl_trusted_certificate /etc/letsencrypt/live/devdude.com/chain.pem;
        #root directory and logfiles 
        root /srv/users/serverpilot/apps/yourappnamehere/public; 

        access_log /srv/users/serverpilot/log/yourappnamehere/yourappnamehere_nginx.access.log main; 
        error_log /srv/users/serverpilot/log/yourappnamehere/yourappnamehere_nginx.error.log; 

        #proxyset 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-SSL on; 
        proxy_set_header X-Forwarded-Proto $scheme; 

        #includes 
        include /etc/nginx-sp/vhosts.d/yourappnamehere.d/*.nonssl_conf; 
        include /etc/nginx-sp/vhosts.d/yourappnamehere.d/*.conf; 
} 
  • In above code replace devdude.com with your domain name and yourappnamehere with your serverpilot app’s name. Finally save it by ctrl+o and exit using ctrl+x.
  • Step 9: Restart Nginx and you’re done.
sudo service nginx-sp restart
  • If you’re able to preview your site with https:// then congrats you’ve successfully configured SSL Certificate. If you’r website is down then you might have done something wrong. If you get following error while restarting Nginx server then there is something wrong with your ssl.conf file.

Job for nginx-sp.service failed because the control process exited with error code. See “systemctl status nginx-sp.service” and “journalctl -xe” for details.

To get rid of above error remove yourappname.ssl.conf file by following following steps:

  1. Go to configuration directory: cd /etc/nginx-sp/vhosts.d
  2. Then remove your .ssl.conf file: rm yourappname.ssl.conf
  3. Restart Nginx: sudo service nginx-sp restart

Redirecting HTTP to HTTPS using .htaccess

Add following code in your .htaccess file:

RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=302,L]

Bonus for WordPress Users

Install and Activate Really Simple SSL plugin which will do everything like redirecting http to https etc automatically if your SSL is installed successfully.