Skip to content

Instantly share code, notes, and snippets.

@lhl

lhl/HOWTO.md

Last active July 19, 2018 12:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lhl/a3be3610384ebce65923ab3806318793 to your computer and use it in GitHub Desktop.
Save lhl/a3be3610384ebce65923ab3806318793 to your computer and use it in GitHub Desktop.
Download ZIP
How to configure NGINX with LetsEncrypt using the simp_le client
Raw
HOWTO.md

How to configure NGINX with LetsEncrypt using the simp_le client.

this includes the nginx configs, as well as the auto renewal steps. I took a bunch of these steps from this blog, and adapted it to how I like.

simp_le issues three return codes depending on the status of the request.

  • 0 if certificate data was created or updated;
  • 1 if renewal not necessary;
  • 2 in case of errors.

This means commands can be chained like so simp_le ... && service nginx reload; nginx reload will only happen if simp_le returns 0.

##make the nginx snippet this allows simp_le to validate your domain, this could easily be put in a vhost directly, but including the snippet is cleaner.

sudo mkdir /etc/nginx/snippets;
sudo sh -c 'echo "location /.well-known/acme-challenge { \n  allow all;\n  alias /tmp/letsencrypt/.well-known/acme-challenge; \n}\n" > /etc/nginx/snippets/letsencrypt.conf';

-- ##include this in each of your vhosts at the bottom put this inside of the server block, just before the closing tag.

include /etc/nginx/snippets/letsencrypt.conf;

-- ##edit your nginx config server block to look like this, replace ${DOMAIN} with your domain from above Since nginx doesn't check configs until reload, we can make the config changes before the certificate is generated. This allows us to create the ssland reload nginx in one command below.

listen 443 ssl default_server;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/nginx/ssl/${DOMAIN}/cert.pem;
ssl_certificate_key /etc/nginx/ssl/${DOMAIN}/key.pem;
ssl_trusted_certificate /etc/nginx/ssl/${DOMAIN}/fullchain.pem;

Make sure your server block also listens on :80 as well for HTTP

listen 80;

-- ##install simp_le client

sudo git clone https://github.com/kuba/simp_le /opt/simp_le
cd /opt/simp_le
sudo ./bootstrap.sh
sudo ./venv.sh
sudo ln -s $(pwd)/venv/bin/simp_le /usr/local/sbin/simp_le

-- ##request a new DOMAIN

DOMAIN=mydomain.com;
sudo mkdir /etc/nginx/ssl/${DOMAIN};
sudo chmod 755 /etc/nginx/ssl/${DOMAIN};
sudo cd /etc/nginx/ssl/${DOMAIN};
sudo simp_le -d ${DOMAIN}:/tmp/letsencrypt -f account_key.json -f key.pem -f cert.pem -f fullchain.pem && sudo service nginx reload;
sudo chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;

-- ##create the renewal script in /usr/local/sbin/certrenew

sudo touch /usr/local/sbin/certrenew;
sudo vim /usr/local/sbin/certrenew;

script contents:

#!/bin/bash

for D in /etc/nginx/ssl/*; do
  if [ -d "${D}" ]; then 
    DOMAIN=`/usr/bin/basename "${D}"`
    cd /etc/nginx/ssl/"${DOMAIN}";
    chmod -R 600 /etc/nginx/ssl/"${DOMAIN}"/*;
    /usr/local/sbin/simp_le -d "${DOMAIN}":/tmp/letsencrypt -f account_key.json -f key.pem -f cert.pem -f fullchain.pem && service nginx reload;
    chmod -R 400 /etc/nginx/ssl/"${DOMAIN}"/*;
  fi
done

disable writing to the script, so no one can make changes.

sudo chmod 500 /usr/local/sbin/certrenew;

-- ##insert the crontab to check nightly at 1am

sudo crontab -e 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
00 1 * * * /usr/local/sbin/certrenew || true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment