=====This is used for proxying several HTTPS/SSL subdomains to internal hosts behind your firewall using 1 proxy server.=====

=====Install Nginx======
<code>sudo apt-get install nginx</code>

=====Requesting your initial certificate from Let's Encrypt=====
**(Please Modify sub.domain.com to your domain)**


<code>nano /etc/nginx/sites-available/host1</code>

<code>server {
    listen 80;
    server_name sub.domain.com;
     location /.well-known {
   alias /var/www/sub.domain.com/.well-known;
    }

    location / {

    }
}</code>

http://sub.domain.com/.well-known is where the Let's Encrypt servers will look for the answers to the challenges it issues.


=====Activate host1 with Symbolic Link=====

<code>ln -s /etc/nginx/sites-available/host1 /etc/nginx/sites-enabled/host1
service nginx restart</code>

=====Install Certbot=====

<code>wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help</code>

=====Create the directory for the Acme Challenge=====

<code>mkdir /var/www/sub.domain.com/</code>

=====Issue the certificate=====

<color #ed1c24>(Make sure you are in the directory where you installed Certbot)\\
**(typically: /opt/eff.org/certbot/venv/local/bin/)**</color>

<code>./certbot-auto certonly --webroot -w /var/www/sub.domain.com/ -d sub.domain.com</code>

Your key, certificate, and certificate chain will now be installed in

<code>/etc/letsencrypt/live/sub.domain.com/</code>

=====Configuring nginx to use your certificate=====

**(Please Modify sub.domain.com to your domain)**

<code>nano /etc/nginx/sites-available/host1</code>

=====Add both the HTTPS redirect and the SSL pathes=====

**(Replace Proxy Pass Address with the exact URL IP + Port used internally to reach the server via http)**

<code>server {
    listen 80;
    server_name sub.domain.com;
    rewrite     ^   https://$host$request_uri? permanent;
}

server {
    listen 443 ssl;
    server_name sub.domain.com;

    ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/sub.log combined;

    location /.well-known {
        alias /var/www/sub.domain.com/.well-known;
    }

    location / {
        proxy_pass http://192.168.1.x;
    }
}</code>

<code>service nginx reload</code>

Continue as needed for however many hosts/subdomains you want to Proxy for.

=====Set up autorenewal for Certificates:=====

<code>nano /etc/crontab</code>

=====Add the following line=====

**(Replace folder with the location of your certbot-auto script)**

<code>47 4    * * *   root    /folder/certbot-auto renew --quiet --renew-hook "service nginx reload"</code>