Suppose you’ve just had your first success with LetsEncrypt. What’s your next step? You probably want to start offering 301 redirects so that everyone gets their content over https instead of http, and then turn on HSTS with a nice long timeout (I recommend a year) so their browsers won’t even try non-https. The HSTS is good for your Qualys score too.

Here’s the rub - unless something has changed, you still need to do the letsencrypt certificate renewals over http:// not https:// - this avoids a circular dependency on http certificates if your certs are expired or nonexistent. So what you really want to do is a selective 301 for everything except stuff that lives in the magic letsencrypt directory.

Here are some config snippets to do both under NGiNX.

For the selective redirect and to serve the challenge out of an alternate directory (many clients want to do this; check your documentation), the following (in the global “server” section) will do nicely.

    server_name localhost ;

    location '/.well-known/acme-challenge' {
            default_type "text/plain";
            root        /tmp/letsencrypt-auto;

    if ( $uri !~ ^/.well-known/acme-challenge/ ) { 
            return 301 https://$host$request_uri;

The HSTS header is even easier, basically it’s one line which one adds in the https “server” section:

    root /home/htdocs ;
    add_header  Strict-Transport-Security "max-age=31536000; includeSubdomains";

Implementation on apache, lighttpd, iis, netscape enterprise server, etc. are left as a (distasteful) exercise to the reader.