Skip to content

Instantly share code, notes, and snippets.

@BlackDex

BlackDex/howto-letsencrypt-webserver-proxy.md

Forked from kerhac/howto-letsencrypt-webserver-proxy.md
Created December 12, 2016 13:24
Show Gist options
  • Save BlackDex/1bf6f7412bc9079bab3baaf7f9cf4601 to your computer and use it in GitHub Desktop.
Save BlackDex/1bf6f7412bc9079bab3baaf7f9cf4601 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt & Webserver Proxy
Raw
howto-letsencrypt-webserver-proxy.md

Let's Encrypt & webserver proxy

Most letsencrypt setups use the webroot plugin to authendicate the domain but I don't like writing temp files to my drive. Letsencrypt provides a standalone solution which can be used to skip that part. In combination with a webserver proxy you can verify all domains pretty easily. You will have to setup the webserver to forward all traffic from location /.well-known/acme-challenge to localhost port 81.

Webserver configuration

nginx

server {
    listen              80;
    server_name         example.com;

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        proxy_pass  http://127.0.0.1:81$request_uri;
    }

    # optional: redirect everything else to https
    location / {
        return         301 https://$server_name$request_uri;
    }
}

lighttpd

$HTTP["url"] =~ "^/.well-known/acme-challenge" {
    proxy.server = (
            "" => ( (
                    "host" => "127.0.0.1",
                    "port" => 81
                    ) )
            )
}

letsencrypt

Install letsencrypt python client using your preferred source.

Run letsencrypt for your domain:

letsencrypt certonly --agree-tos --email webmaster@example.com \
--standalone-supported-challenges http-01 --http-01-port 81 -domains example.com

The flag --http-01-port is found in the man page with the following warning:

The following flags are meant for testing purposes only! Do NOT change
them, unless you really know what you're doing!

letsencrypt config

Using a configuration file located at /etc/letsencrypt/cli.ini you can shorten the command down to letsencrypt certonly

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = webmaster@example.com

# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com

# Uncomment to use a text interface instead of ncurses
text = True

# Uncomment to use the standalone authenticator on port 443
#authenticator = standalone
standalone-supported-challenges = http-01

# Change http port to 81. A webserver must be configured to redirect the request
# to port 81 for this to work.
http-01-port = 81

agree-tos
expand
keep-until-expiring

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment