How to Setup Nginx with Let's Encrypt using ACME on Ubuntu 20.04

In a previous tutorial, we described how to obtain a free SSL/TLS certificate from Let's Encrypt by using Certbot.

In this tutorial, we would like to show you another way that you can easily obtain and renew a free SSL/TLS certificate from Let's Encrypt by using the script on Ubuntu 20.04.

If you do not yet have a working NGINX web server, here is an easy NGINX installation guide that you can follow.


The shell script automates the issuance and renewal of free certificates from Let's Encrypt. You can get the script either by downloading it directly from the web or by cloning its git project.

Download from the web

Run any of the two commands below to download and execute the script.

$ curl | sh


$ wget -O - | sh

Below is an example of what you can expect when the script executes.

$ wget -O - | sh
 --2021-02-16 11:55:47--
 Resolving (… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710,, …
 Connecting to (|2606:4700:3032::6815:223e|:443… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: unspecified [text/html]
 Saving to: ‘STDOUT’
 [ <=>                ]     937  --.-KB/s    in 0s 
 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout [937]
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  204k  100  204k    0     0  3350k      0 --:--:-- --:--:-- --:--:-- 3350k
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading
 [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first.
 [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode.
 [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/
 [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc'
 [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job
 47 0 * * * "/home/shola/"/ --cron --home "/home/shola/" > /dev/null
 [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred.
 [Tue 16 Feb 2021 11:55:48 AM UTC] OK
 [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!

Clone git project

Alternatively, run the commands below one per line, to clone the git project and execute the script.

$ git clone
$ cd
$ ./ --install

Whichever method you choose to use, once you see the "Install success!" message, you may close the terminal window and open it again to validate the installation.

To see usage information, run the next command.

$ -h

You may also run the command below to check the version.

$ --version

Generate a Certificate

To generate a single certificate for a single domain, run the command below.

Replace with your registered domain. Also, replace /var/www/ with your domain's website root folder as appropriate.

$ --issue -d -w /var/www/

For multiple domains/sub-domains that share the same website root folder, you can run the next command to issue a certificate.

$ --issue -d -d -d -w /var/www/

The generated certificates will be stored in ~/

Install Certificate on NGINX using acme

After generating the certificate through the script, the next step is to install it on NGINX. First, create a folder where the generated certificate will be copied to.

$ sudo mkdir -p /etc/nginx/certs/

Run the next command to install the certificate. Do not forget to replace with your registered domain.

$ --install-cert -d --key-file /etc/nginx/certs/ --fullchain-file /etc/nginx/certs/ --reloadcmd "service nginx force-reload"

Update NGINX Server Block File

The final step is to update the server block file for your domain to include the SSL related directives.
Run the command below to edit the server block file.

$ sudo nano /etc/nginx/sites-available/

Next, add the following lines.

listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/nginx/certs/;
ssl_certificate_key /etc/nginx/certs/;

After the additions, your server block file should look like what you see in the image below. The new additions are highlighted in red. Also, notice that the listen directives for port 80 have been commented out.

Update NGINX server block file to use SSL
Update NGINX server block file to use SSL

Save changes and close the file.

Restart NGINX with:

$ sudo systemctl restart nginx

Visit your website in a browser to confirm that secure communication is now enabled.

Certificate Renewal

The certificates issued by Let's Encrypt will automatically renew every 60 days.

But you could also manually renew the certificate if you would like to. Run the command below.

$ --renew -d --force

To stop certificate renewal, run the following.

$ --remove -d


It is recommended to always use the latest version of Run the command below to ensure that is updated automatically.

$ --upgrade --auto-upgrade

To disable automatic upgrade for, run the next command.

$ --upgrade --auto-upgrade 0

If you would not like to be automatically upgraded, then use the command below to manually update it.

$ --upgrade


In this guide, we described the steps to obtain and renew free SSL/TLS certificates from Let's Encrypt by using the shell script on Ubuntu. This method is an alternative to using the Certbot tool. We would like to hear about your experience using these tools.

Leave a Comment