. Download generated config: nginxconfig.io-{{ getDomains().join(',') }}.zip Upload to server's {{ data.directory_nginx.replace(endingSlashRegex, '') }} directory - OR - Copy as Base64 string: Copy to clipboard (echo 'BASE64' | base64 --decode > {{ data.directory_nginx }}nginxconfig.io-{{ getDomains().join(',') }}.zip) Paste from clipboard and run the command . Go to NGINX directory (over SSH): cd {{ data.directory_nginx.replace(endingSlashRegex, '') }} . Backup current configuration: tar -czvf nginx_$(date +'%F_%H-%M-%S').tar.gz nginx.conf sites-available/ sites-enabled/ nginxconfig.io/ . Unzip the uploaded archive: unzip -o nginxconfig.io-{{ getDomains().join(',') }}.zip (you probably need to install unzip: sudo apt-get install unzip). Generate Diffie-Hellman keys: openssl dhparam -out {{ data.directory_nginx }}dhparam.pem {{ sslProfiles[ data.ssl_profile ].dh_param_size }} . Create a common ACME-challenge directory (for Let's Encrypt): mkdir -p {{ data.directory_letsencrypt.replace(endingSlashRegex, '') }} chown {{ data.user }} {{ data.directory_letsencrypt.replace(endingSlashRegex, '') }}. Comment out SSL related directives in configuration: sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' {{ data.directory_nginx }}nginx.conf {{ data.directory_nginx }}sites-{{ isSymlink() ? 'available' : 'enabled' }}/{{ _domain }}.conf . Reload NGINX: sudo nginx -t && sudo systemctl reload nginx . Obtain certificate{{ getDomains().length > 1 ? 's' : '' }}: certbot certonly --webroot -d {{ _domain }} -d www.{{ _domain }} -d cdn.{{ _domain }} --email {{ data.sites[_site].email ? data.sites[_site].email : 'info@' + _domain }} -w {{ data.directory_letsencrypt.replace(endingSlashRegex, '') }} -n --agree-tos --force-renewal . Uncomment SSL related directives in configuration: sed -i -r 's/#?;#//g' {{ data.directory_nginx }}nginx.conf {{ data.directory_nginx }}sites-{{ isSymlink() ? 'available' : 'enabled' }}/{{ _domain }}.conf . Reload NGINX: sudo nginx -t && sudo systemctl reload nginx . Configure Certbot to reload NGINX after success renew: echo -e '#!/bin/bash\nnginx -t && systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh . Schedule renewing: Certbot will automatically renew any certificates that expire in less than 30 days. Reload NGINX: sudo nginx -t && sudo systemctl reload nginx