this includes the nginx configs, as well as the auto renewal steps. I took a bunch of these steps from this blog, and adapted it to how I like.
simp_le issues three return codes depending on the status of the request.
- 0 if certificate data was created or updated;
- 1 if renewal not necessary;
- 2 in case of errors.
This means commands can be chained like so simp_le ... && service nginx reload;
nginx reload will only happen if simp_le returns 0.
##make the nginx snippet this allows simp_le to validate your domain, this could easily be put in a vhost directly, but including the snippet is cleaner.
sudo mkdir /etc/nginx/snippets;
sudo sh -c 'echo "location /.well-known/acme-challenge { \n allow all;\n alias /tmp/letsencrypt/.well-known/acme-challenge; \n}\n" > /etc/nginx/snippets/letsencrypt.conf';
-- ##include this in each of your vhosts at the bottom put this inside of the server block, just before the closing tag.
include /etc/nginx/snippets/letsencrypt.conf;
-- ##edit your nginx config server block to look like this, replace ${DOMAIN} with your domain from above Since nginx doesn't check configs until reload, we can make the config changes before the certificate is generated. This allows us to create the ssland reload nginx in one command below.
listen 443 ssl default_server;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/nginx/ssl/${DOMAIN}/cert.pem;
ssl_certificate_key /etc/nginx/ssl/${DOMAIN}/key.pem;
ssl_trusted_certificate /etc/nginx/ssl/${DOMAIN}/fullchain.pem;
Make sure your server block also listens on :80 as well for HTTP
listen 80;
-- ##install simp_le client
sudo git clone https://github.com/kuba/simp_le /opt/simp_le
cd /opt/simp_le
sudo ./bootstrap.sh
sudo ./venv.sh
sudo ln -s $(pwd)/venv/bin/simp_le /usr/local/sbin/simp_le
-- ##request a new DOMAIN
DOMAIN=mydomain.com;
sudo mkdir /etc/nginx/ssl/${DOMAIN};
sudo chmod 755 /etc/nginx/ssl/${DOMAIN};
sudo cd /etc/nginx/ssl/${DOMAIN};
sudo simp_le -d ${DOMAIN}:/tmp/letsencrypt -f account_key.json -f key.pem -f cert.pem -f fullchain.pem && sudo service nginx reload;
sudo chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;
-- ##create the renewal script in /usr/local/sbin/certrenew
sudo touch /usr/local/sbin/certrenew;
sudo vim /usr/local/sbin/certrenew;
script contents:
#!/bin/bash
for D in /etc/nginx/ssl/*; do
if [ -d "${D}" ]; then
DOMAIN=`/usr/bin/basename "${D}"`
cd /etc/nginx/ssl/"${DOMAIN}";
chmod -R 600 /etc/nginx/ssl/"${DOMAIN}"/*;
/usr/local/sbin/simp_le -d "${DOMAIN}":/tmp/letsencrypt -f account_key.json -f key.pem -f cert.pem -f fullchain.pem && service nginx reload;
chmod -R 400 /etc/nginx/ssl/"${DOMAIN}"/*;
fi
done
disable writing to the script, so no one can make changes.
sudo chmod 500 /usr/local/sbin/certrenew;
-- ##insert the crontab to check nightly at 1am
sudo crontab -e
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
00 1 * * * /usr/local/sbin/certrenew || true