Skip to content

Instantly share code, notes, and snippets.

@peshi

peshi/letsencrypt.md

Forked from xrstf/letsencrypt.md
Created December 5, 2015 04:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save peshi/0ae112bff958b63e0fd1 to your computer and use it in GitHub Desktop.
Save peshi/0ae112bff958b63e0fd1 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt on Ubuntu 14.04, nginx with webroot auth
Raw
letsencrypt.md

Let's Encrypt on Ubuntu 14.04, nginx with webroot auth

This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in /root/letsencrypt.

As it is not possible to change the ports used for the standalone authenticator and I already have a nginx running on port 80/443, I opted to use the webroot method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com).

Configuration

For this, I placed config files into etc/letsencrypt/configs, named after <domain>.conf. The files are simple:

# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked with one domain for me,
# another one only got one cert, so I would recommend sepaate config files per domain.
domains = www.xrstf.de

# increase key size
rsa-key-size = 4096

# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

# this address will receive renewal reminders, IIRC
email = someaddresslike-webmaster@xrstf.de

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
# LE fetch it
authenticator = webroot
webroot-path = /absolute/path/to/your/webroot/

To generate your first cert, open a shell and execute the letsencrypt-auto script:

# cd /root/letsencrypt
# ./letsencrypt-auto --config /etc/letsencrypt/configs/mydomain.conf certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.xrstf.de/fullchain.pem. Your cert will
   expire on 2016-02-05. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Note the certonly command: we only want to issue certificates and don't want the client to fiddle with our nginx config.

nginx Integration

Simply update your nginx sites to use the new certificate and private key:

server {
  ...
  
  ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
  
  ...
}

That's it already.

Renewal

I put a script in /etc/cron.monthly:

#!/bin/sh
    
# create new certs
cd /root/letsencrypt
    
for conf in $(ls /etc/letsencrypt/configs/*.conf); do
  ./letsencrypt-auto --renew --config "$conf" certonly
done
    
# make sure nginx picks them up
service nginx restart

And now I get new certs on the first of every month. Done.

Adding new domains

Simply put new config files into /etc/letsencrypt/configs and run the command mentioned above once to get the initial cert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment