Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Let’s Encrypt setup for Apache, NGINX & Node.js

Let's Encrypt

Examples of getting certificates from Let's Encrypt working on Apache, NGINX and Node.js servers.

Obtain certificates

I chose to use the manual method, you have to make a file available to verify you own the domain. Follow the commands from running

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --manual --email admin@example.com -d example.com

This creates a directory: /etc/letsencrypt/live/example.com/ containing certificate files:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Node.js

var https = require('https');
var fs = require('fs');

var options = {
  key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
  cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem'),
  ca: fs.readFileSync('/etc/letsencrypt/live/example.com/chain.pem')
};

https.createServer(options, function (req, res) {
  res.writeHead(200);
  res.end("hello world\n");
}).listen(8000);

Apache

LoadModule ssl_module libexec/apache2/mod_ssl.so
Listen 443
<VirtualHost *:443>
  ServerName example.com
  SSLEngine on
  SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"
</VirtualHost>

NGINX

server {
    listen              443 ssl;
    server_name         example.com;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
@radiofrequency

This comment has been minimized.

Copy link

commented Dec 22, 2016

for nginx add
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem

or you'll get validation errors on some android browsers.

@elievischel

This comment has been minimized.

Copy link

commented Apr 2, 2017

Hello, does it work for all websites version ? www and non-www version ?

It didn't work for my website. I have added

server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

but doesn't work for my www version

could you give me a little hand on it :)

@Magiccamera

This comment has been minimized.

Copy link

commented Jun 1, 2017

I just switched from nginx to apache under direction from my boss (I cringed at the notion... but was easier done than said). Apparently it's straight forward to update your letsencrypt.

To prepare Apache properly for SSL follow this tutorial for centos 7 here:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
The tutorial feels vague, but there are just a couple of relevant parts you need to do beforehand. I did it ass backwards until I realised I was a total numpty.

Create your vhosts for port 80 for all your domains, start your server and then run sudo certbot --apache and follow the questions. Letsencrypt creates your ssl conf files for you where-ever they may reside such as in /etc/httpd/sites-enabled. It even injects a re-direct to your VirtualHost *80 files. So you need to keep those enabled.

@aclaramunt

This comment has been minimized.

Copy link

commented Feb 25, 2018

I install letsencrypt for nodejs, when execute node index.js:

_tls_common.js:85
      c.context.setKey(options.key, options.passphrase);
                ^

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    at Error (native)
    at Object.createSecureContext (_tls_common.js:85:17)
    at Server (_tls_wrap.js:776:25)
    at new Server (https.js:26:14)
    at Object.exports.createServer (https.js:47:10)
    at Object.<anonymous> (/home/sites/api-ten2go/index.js:16:7)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)

@josezulu

This comment has been minimized.

Copy link

commented Feb 26, 2018

For two weeks I'd banged my head on the interwebs to figure out why Internet Explorer 11 was rejecting the connection to the websocket I had attached to the https server. It was Avast Antivirus blocking it! Only happened in IE11.

Then by chance I realised I wasn't loading the "ca" file on the https options....

Thanks to your post, I know which file I should for the "ca", since letsencrypt also has a "fullchain" cert.

@ngoma84

This comment has been minimized.

Copy link

commented Apr 3, 2018

for node js, in case you get permission denied error.
try
sudo chmod 755 /etc/letsencrypt/live/
sudo chmod 755 /etc/letsencrypt/archive/

@solderjs

This comment has been minimized.

Copy link

commented May 24, 2018

FYI: The python implementation of "letsencrypt" is now "certbot" and the node.js implementation is now Greenlock for Web Servers and Greenlock for API Integrations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.