As suggested in the Let's Encrypt Getting Started Guide I use the Certbot ACME client.
There are many ways to run the Certbot. A while ago I installed it locally on my Mac with Homebrew:
$ brew install certbot
==> Downloading https://homebrew.bintray.com/bottles/certbot-0.9.1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring certbot-0.9.1.sierra.bottle.tar.gz
🍺 /usr/local/Cellar/certbot/0.9.1: 1,969 files, 13.8M
$ mkdir config logs work
$ certbot certonly --config-dir config --logs-dir logs --work-dir work \
--standalone -d planets.datenkollektiv.de
So far so good. But every now and then you need to renew your certificate. since this is a rather tedious task we are going to automate this steps.
Add a task to renew the certificate to your cron job list:
15 0,12 * * * letsencrypt renew -a webroot --webroot-path=/var/www/letsencrypt
and allow HTTP access to .well-known (usually we do forward all HTTP access to HTTPS) in NGinx.
location /.well-known {
alias /var/www/letsencrypt/.well-known;
}
Finally you should test your sever with a service like SSL Labs to get an overall impression of your security rating...