certbot.JPGIn December 2016, I wrote a post on this blog about StartCom SSL free certificates. StartCom (and WoSign) aren't trusted anymore.

If Internet Explorer and Edge are trusting StartSSL root certificates, this is not the case with Google Chrome. I had to move to another product. Letsencrypt is the Certificate Authority of choice : they are :

  • free
  • trusted by most internet browsers
  • providing even SAN certificates
  • supported by majors companies
  • but very short time limited! (by design)

This web server is running nginx on debian (Jessie) and is hosted at exoscale, a swiss cloud provider. I installed Certbot (an ACME client to request the certificate and to automotically renew it). It worked like a charm!

Here are some basic steps I needed to do, in order to have it running:

Add the following line in the file /etc/apt/sources.list

deb http://ftp.debian.org/debian jessie-backports main

Follow the instructions here (for nginx on debian Jessie). For other configurations, you will find the instructions here.

Then, don't forget to backup :

  1. your new nginx configuration file(s)
  2. Letsencrypt directory, under /etc/letsencrypt

Lastly, check the cron will run, as specified under:


The log files are available in:


My config is available in a github repository and the last qualys check gave the result A+.


Some links: