bcremer/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Let's Encrypt

Using the Let's Encrypt (certbot)[https://certbot.eff.org/] with the webroot plugin in nginx.
Installation

Install certbot on a regular user-account:
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

Create dedicated directory for domain validation, make sure the user has write rights
mkdir /var/www/letsencrypt
chown www-data:you-user /var/www/letsencrypt

Create nginx vhost and letsencrypt config files.
See: nginx-vhost.conf and /etc/letsencrypt/configs/some.domain.com
Generate cert:
./certbot-auto --config /etc/letsencrypt/configs/some.domain.com certonly


## nginx-vhost.conf
server {
    listen      80;
    server_name some.domain.com;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /var/www/letsencrypt;
    }

    # Hide /acme-challenge subdirectory and return 404 on all requests.
    # It is somewhat more secure than letting Nginx return 403.
    # Ending slash is important!
    location = /.well-known/acme-challenge/ {
        return 404;
    }

    location / {
        return      301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name some.domain.com;

    ssl_certificate             /etc/letsencrypt/live/some.domain.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/some.domain.com/privkey.pem;

    root /var/www/some.domain.com/;
}


## some.domain.com
# File: /etc/letsencrypt/configs/some.domain.com

# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = some.domain.com

# increase key size
rsa-key-size = 2048 # Or 4096

# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

# this address will receive renewal reminders
email = admin@some.domain.com

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/
	server {
	listen 80;
	server_name some.domain.com;

	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt;
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
	return 404;
	}

	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	server {
	listen 443 ssl;
	server_name some.domain.com;

	ssl_certificate /etc/letsencrypt/live/some.domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/some.domain.com/privkey.pem;

	root /var/www/some.domain.com/;
	}
	# File: /etc/letsencrypt/configs/some.domain.com

	# technically it's possible to have multiple of this lines, but it only worked
	# with one domain for me, another one only got one cert, so I would recommend
	# separate config files per domain.
	domains = some.domain.com

	# increase key size
	rsa-key-size = 2048 # Or 4096

	# the current closed beta (as of 2015-Nov-07) is using this server
	server = https://acme-v01.api.letsencrypt.org/directory

	# this address will receive renewal reminders
	email = admin@some.domain.com

	# turn off the ncurses UI, we want this to be run as a cronjob
	text = True

	# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
	# and then letting LE fetch it
	authenticator = webroot
	webroot-path = /var/www/letsencrypt/