root@jats-science:~# certbot --version
certbot 0.12.0
root@jats-science:~# certbot certonly --webroot --webroot-path=/usr/share/nginx/html -d jats.science -d www.jats.science
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/jats.science.conf)
What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jats.science
http-01 challenge for www.jats.science
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/jats.science/fullchain.pem. Your cert will
expire on 2017-08-10. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@jats-science:~# service nginx restart
PS: this old tutorial explains how to do a workaround… But it is not a “plug-and-play procedure”, it is ugly.
The meaning of “certonly” is that it only obtains the certificate and does not install or configure it for you.
In recent version of Certbot there is now an --nginx option available, parallel to the older --apache, which tries to obtain and install your certificate in Nginx in a comparatively automated way. You are welcome to give this a try and let us know about your experiences, which can also help us to improve the software if you run into any problems.
I believe the version that you got from the Ubuntu PPA is not yet recent enough to include --nginx, although it should be updated soon if you can wait for, I guess, another week or two. Alternatively, you can install the most recent version by a different method
0. ad a VirtualHost to domains. Even when running (HTTP fine), Cerbot needs a nginx.conf fragment script (the parse detects server{} clauses and its server_name variables) for each certified domain or subdomain.
2. run command certbot --nginx (as the same ubuntuxenial-nginx instruction), and answered the questions with yes, domains and subdomains… All domains and subdomains detected.