# Install the Let's Encrypt certbot
sudo apt install certbot python3-certbot-nginx
# Request the cerificate
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d example.com
<<'END_COMMENT'
Where:
--nginx: Use the Nginx authenticator and installer
--agree-tos: Agree to Let’s Encrypt terms of service
--redirect: Enforce HTTPS by adding 301 redirect.
--hsts: Enable HTTP Strict Transport Security. This defends against SSL/TLS stripping attack.
--staple-ocsp: Enable OCSP Stapling.
--email: Email used for registration and recovery contact.
-d flag is followed by a list of domain names, separated by comma. You can add up to 100 domain names.
END_COMMENT
# Check the NGINX conf file and edit if necessary:
# enable HSTS (HTTP Strict Transport Security):
add_header Strict-Transport-Security "max-age=31536000" always;
# enable HTTP2 protocol
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
# Check that configuration is good
sudo nginx -t
# Reload NGINX
sudo systemctl reload nginx