Create-letsencrypt-cert.md

Retrieve a Let's encrypt cert only for nginx

Example is on Ubuntu 14.04 LTS

1. stop nginx listening on port 80

$ service nginx stop

2. Install necessary libs and start letsencrypt-auto

apt-get install libffi-dev libssl-dev
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
./letsencrypt-auto certonly --standalone -d www.domain.de -d sub.domain.de --email mail@domain.de --agree-tos

3. Put the genereated certs into your nginx configs

The relevant certs will be located at:

• /etc/letsencrypt/live/www.domain.de/fullchain.pem and
• /etc/letsencrypt/live/www.domain.de/privkey.pem

Edit your nginx vhost and add:

server {
	listen 443;
	
	server_name www.domain.de;

	root /var/www/domain.de/public;
	index index.php;

  ## SSL config goes here ##
  
  ssl on;
	ssl_certificate /etc/letsencrypt/live/www.domain.de/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.domain.de/privkey.pem;

	ssl_session_timeout 5m;

	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
	ssl_prefer_server_ciphers on;
  
  ## SSL config end ##

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
		fastcgi_index index.php;
		include fastcgi_params;
	}
}

4. Test nginx config and restart nginx

nginx -t
service nginx start

5. Automatic renewal

Open crontab with:

crontab -e

Add this line:

0 6 * * * /path/to/letsencrypt/letsencrypt-auto renew && service nginx restart

This will execute a daily check for overdued certificates and will issue a renewal if needed.

Fixed nginx ssl config, must be fullchain.pem instead of cert.pem to include the intermediate certificate too.