Skip to content

Instantly share code, notes, and snippets.

@jhargis

jhargis/README.md

Last active February 15, 2017 03:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jhargis/937525c35c2bacd286309ee2fd306506 to your computer and use it in GitHub Desktop.
Save jhargis/937525c35c2bacd286309ee2fd306506 to your computer and use it in GitHub Desktop.
Download ZIP
letsencrypt certbot nginx easy setup and renewals
Raw
README.md

Prerequisites : the letsencrypt CLI tool

This method allows your to generate and renew your Lets Encrypt certificates with 1 command. This is easily automatable to renew each 60 days, as advised.

You need nginx to answer on port 80 on all the domains you want a certificate for. Then you need to serve the challenge used by letsencrypt on /.well-known/acme-challenge. Then we invoke the letsencrypt command, telling the tool to write the challenge files in the directory we used as a root in the nginx configuration.

I redirect all HTTP requests on HTTPS, so my nginx config looks like :

server {
  listen              80;
  listen              [::]:80;
  server_name         example.net example.org;
  location '/.well-known/acme-challenge' {
  default_type "text/plain";
    root        /tmp/letsencrypt-auto;
  }

  location / {
    return              301 https://$server_name$request_uri;
  }
}

This approatch allows me do no longer needing to do any nginx config change if I add a new domain and use server_name *;, I create a new certificate with the needed hostname, and add the new vhost for this domain listening on 443 only using the newly generated certificate.

Then, to generate your initial certificate for those domains :

$ export DOMAINS="-d example.net -d example.org"
$ export DIR=/tmp/letsencrypt-auto
$ mkdir -p $DIR && letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-tos $DOMAINS
$ service nginx reload

The command will output the path to the signed certificate, and you can add it to your nginx configuration as usual. The private key is located in the same directory than the generated fullchain.pem

A Lets Encrypt cert is valid for 90 days, it is recommended to renew every 60 days. Automation is needed here to avoid any expired certificate ! To renew your certificate (in a cron job for example), call the same command with a --renew arg :

$ export DOMAINS="-d example.net -d example.org"
$ export DIR=/tmp/letsencrypt-auto
$ mkdir -p $DIR && letsencrypt --renew certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-tos $DOMAINS
$ service nginx reload

You can also get a duplicate certificate by using the same command again, with a --duplicate arg.

when completed, you'll see

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-05-16. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

#source https://gist.github.com/renchap/c093702f06df69ba5cac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment