If we set up blocks where we expect visitors to use their own devices, we typically want to provide the content over HTTPS. By doing so the visitor will know the content comes from a trusted source. They will also be able to use features on the mobile devices that may be restricted from use over http. E.g. QR scanning, camera etc. There are three main ways to prove for the certificate provider that you are the legal owner in control of a domain name. HTTP-01 challenge, DNS-01 challenge, TLS-ALPN-01. We will not bother about the TLS-ALPN-01, it has rather specific purposes, HTTP-01 will work if the server is published to the internet, e.g. a cloud server. To allow for automatic renewal on server that is not exposed but can access the internet DNS-01 challenge is useful. All it need is a dns provider with an api and a cert-bot plug in for Let's Encrypt that can automatically renew the certificates when required.

The officical certbot plugins maintained by Certbot can be found here

3rd party plugins can be found here.

1. Purchase a suitable domain for your project from a domain registrar.
2. Configure the domain at the registrar to use your DNS provider's name servers.
3. Create an account at a dns provider unless you already have one.
4. Create an api token with the dns provider that the certbot can use to make its api calls. Make its permissions as restricted as possible, we only need control over dns!
5. Create a file to store the api token or secret. Typically stored in an .ini file under /etc/letsencrypt/
6. make sure the necessary cert-bot plugin is installed. Follow the dns providers instructions.
7. run the certbot
8. Configure nginx to handle the incoming requests the way you want.

Digital Ocean as dns provider

Cloud flare as dns provider