My initial HTTPS setup with Let's Encrypt was just a manually-requested, manually-installed certificate. It worked, but it couldn't be automatically renewed. It also only applied to kurtmckee.org, leaving www.kurtmckee.org out in the cold. Worse, it was impossible to connect to www.kurtmckee.org through HTTP because I enabled HTTP Strict Transport Security.

So, as of today, I've set up certbot so that it automatically renews my certificates, and I've added www.kurtmckee.org as a domain on the certificate. I've also updated my nginx configuration to redirect from www.kurtmckee.org to kurtmckee.org.

Here's a fragment of my certbot renewal configuration file. Note that I had to add the installer line manually, but perhaps you won't have to.

# /etc/letsencrypt/renewal/site.conf

[renewalparams]
authenticator = nginx
installer = nginx

And here's a fragment of my nginx configuration:

# Redirect www.kurtmckee.org to kurtmckee.org.
server {
    server_name www.kurtmckee.org;
    listen 443 ssl http2;
    return 301 https://kurtmckee.org$request_uri;
}


# Redirect all HTTP traffic to HTTPS.
server {
    listen 80;
    return 301 https://kurtmckee.org$request_uri;
}

I think the next step for the site will be to analyze incoming requests that fail. I don't want people clicking through to my site and seeing a 404 error message for previously-valid URL's!