First you have to install I like using because it’s all bash based. As with all posts I take no responsibility for anything and this is more of a quick help instead of a full guide.

I have a script that I use to deploy my WordPress sites. The only thing I recommend is if you use it make sure to add the xml-rpc.php block. I haven’t added that to it yet. Here’s the link. You’re more than welcome to use it. This is always getting updated so I can’t say it’s going to be reliable. LINK

Install with the following

curl | sh

This will also install a cron in your crontab -l

Configure to autoupdate since sometimes it will start to fail if LetsEncrypt changes their API --upgrade --auto-upgrade

Configure to use LE instead of ZeroSSL by default --set-default-ca --server letsencrypt

Now it’s time to deploy a cert. There are numerous ways to do this. My preferred way is to use the CloudFlare API this way you can deploy internal certs.If you’d like to do it this way you can skip the next block

If you don’t want to use the DNS API you can do it via directory/web server. This is somewhat simpler since it doesn’t require you to use/configure CloudFlare. The one downside is if you have you domain redirect to HTTPS via NGiNX you will have to change the HTTP config as below.

server {
    listen 80;

    root /usr/share/nginx/html/;

    location ^~ /.well-known/acme-challenge/ {
        try_files $uri =404;

    location / {
        return 301$request_uri;
} --issue -d -w /usr/share/nginx/html/;

This will allow the well known to not be redirected to HTTPS since Certbot requires HTTP access.

We have to create the CloudFlare API Key

  1. In the upper right hand corner

  1. Then you go to “API tokens”

  2. Then “Create Token”

  3. Then “Create Custom Token” at the bottom of the page

  4. You have to assign the following permissions

a. Zone.Zone:Read

b. Zone.DNS:Edit

c. You can adjust other settings if you’d like, but I usually just leave them as they are. I like to have a token for each server.

Now it’s time to configure to use the DNS API with

CF_Token is the key you just created above

CF_Account_ID is the code from you URL between the and profile. For example it’s the X’s in the below

export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Account_ID="xxxxxxxxxxxxx"

Now it’s time to generate the cert/key --issue --dns dns_cf -d

If you want to add more than one domain to the cert you can do the following --issue --dns dns_cf -d -d

Assuming that it worked it should so you the cert/key is in /root/.acme/.

Now it’s time to install the cert to NGiNX. This will work with Apache, but locations will be different.

mkdir -p "/etc/nginx/ssl/${DOMAIN}/" --install-cert -d ${DOMAIN} --cert-file "/etc/nginx/ssl/${DOMAIN}/crt" --key-file "/etc/nginx/ssl/${DOMAIN}/key" --fullchain-file "/etc/nginx/ssl/${DOMAIN}/fullchain.crt" --reloadcmd "systemctl reload nginx" --force

Now it’s time to edit your NGiNX config to to use these certs. This is the very basic server block. You will need to PHP handlers/root info

server {
    listen 443 ssl http2;
    root /usr/share/nginx/html/;
    ssl_certificate            /etc/nginx/ssl/;
    ssl_certificate_key        /etc/nginx/ssl/;

Now that you’d added the required info you can run

nginx -t

If this is successfull they you’re good to go. Now you can reload NGiNX

systemctl reload nginx


service nginx reload

Now it should be working. You can open your domain in your web browser and now you should be able to see that your cert is from LetsEncrypt.