Generate a certificate for your WebServices

In this article we’ll se how to generate a Free SSL certificate with Let’s encrypt,for your web server and webservices API for your applications Android and iPhone.

On this tutorial, we will use CertBot on our Debian server to generate a multi-domain cert.

1 – Install Lets Encrypt

First we need to install the app that make certificates.

In command lines run the following commands in a terminal:

chmod a+x certbot-auto


2 – Generate the SSL certificate

Manual generation:

The best option is to specify the WebRoot in order to allow auto renewal, but in some cases you need to do it manually.

This command will run a temporary local server.

./certbot-auto certonly --manual

Fill your site name with and without « www. », for example:”

Then run the command indicated in the console by the command in a new terminal.

Automatic generation

The automatic choice is the best one because you can renew automatically after.

./certbot-auto certonly --webroot -w /var/www/example-server/ -d -d -d

3- Configuring Nginx

Using Certs generated

Few steps to use generated certificates in the directory « /etc/letsencrypt/live/ »

cd /etc/letsencrypt/live/
cp fullchain.pem key.crt
cp privkey.pem ssl.key

Configure WebServer

Modify your nginx configuration file to enable SSL:

server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

3- Configuring Apache

Using Certs generated

Few steps to use generated certificates in the directory « /etc/letsencrypt/live/ »

cd /etc/letsencrypt/live/
cp cert.pem key.crt
cp chain.pem
cp privkey.pem ssl.key

Configure WebServer

Modify your Apache configuration file to enable SSL:

<VirtualHost *>
SSLEngine on
SSLCertificateFile  /etc/letsencrypt/live/

5 – Test the certificate:

It is now crutial to test that your certificate is well installed with the full chain.

Because sometimes it doesn’t work on android beacaus you don’t have the full Cert chain!

openssl s_client -connect

Here is how a good Certificate chain should look like in the openssl output:
Certificate chain
0 s:/
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

5 – Test automatic generation

certbot-auto renew --dry-run

6 – Generate the cron renewal every days!

It is recommanded to run check once or twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

If you want to regenerate your certificate, you can do it automatically with the following command (adding a cron job):

$ crontab -e

0 5 * * * certbot-auto renew –quiet –no-self-upgrade && sudo service nginx reload


You now know how to generate a free SSL certificate that work on your server and mobile Android and iPhone.


If you have a 403 error on WordPress during renew

If you use Apache, just create a .htaccess file in your web root: /.well-known/.htaccess with the following content:

# Override overly protective .htaccess in webroot
RewriteEngine On
Satisfy Any