Let's Encrypt? NGINX certbot plugin solved

My experience setting up a cert from letsencrypt.org

From the website itself, letsencrypt is described as:

Let’s Encrypt is a free, automated, and open Certificate Authority.

I've previously written about setting up https for my 4d4ms.com domain, but I never really explored using letsencrypt to acquire a certificate. Since I also own and run heavytechnical.com, I decided I'd give letsencrypt a shot with that domain and see how it goes.

I run NGINX in front of my web services that host the websites. The certbot site claims:

The Nginx plugin has been distributed with Certbot since version 0.9.0 and should work for most configurations.

But my experience was different:

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed

ohhhh kaaayyyy. How do we install plugins? I couldn't find any documentation for how to install the nginx plugin, but I took a wild guess based on what the documentation says to do to exclude installation of the apache plugin:

$ sudo apt-get install python-certbot-nginx

Looks promising!

# sudo certbot --nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: 4d4ms.com
2: heavytechnical.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

aha!

After answering a couple of questions and accepting the TOS, cerbot acquired a certificate, modified my NGINX configuration to refer to it, added lines to redirect non secure (http) to secure (https) and commented the lines it altered:

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/heavytechnical.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/heavytechnical.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-R\
SA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Ce\
rtbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

And there we have it. A newly minted ceritificate that is good for 90 days, at which point I'll have to renew. I haven't yet set up a script to automatically renew the cert, but supposedly that's pretty easy too.

my shiny new certificate