Letsencrypt + Nginx

Instalar dependencias

sudo apt-get update
sudo apt-get install certbot
sudo apt-get install python3-certbot-nginx

Preparar un Vhost vacio para verificar contra Letsencrypt

Crear archivo: /etc/nginx/sites-avarible/sitio.com.ar

server {
    listen 80;
    listen [::]:80;
    root /var/www/html;
    server_name sitio.com.ar;
}

Habilitar el sitio

ln -s /etc/nginx/sites-avarible/sitio.com.ar /etc/nginx/sites-enabled/sitio.com.ar

Verificar Nginx y reiniciar

sudo nginx -t 
sudo service nginx restart

Obtener certificado

sudo certbot --nginx -d sitio.com.ar

Una vez finalizado, devuelve lo siguiente

Congratulations! You have successfully enabled https://sitio.com.ar

-------------------------------------------------------------------------------------
IMPORTANT NOTES: 

Congratulations! Your certificate and chain have been saved at: 
/etc/letsencrypt/live/sitio.com.ar/fullchain.pem 
Your key file has been saved at: 
/etc/letsencrypt/live/sitio.com.ar/privkey.pem
Your cert will expire on 2020-12-12.

Archivo ejemplo modificado por cerboot

server {
    listen 80 ;
    listen [::]:80 ;
    root /var/www/html;
    server_name  sitio.com.ar;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/sitio.com.ar/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sitio.com.ar/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

Configurar renovacion automatica

esta configuracion es para todos los cerficiados generados

Editar el archivo /etc/crontab y agregar la siguiente linea

0 12     * * *    root     /usr/bin/certbot renew --quiet