I using https://github.com/lukas2511/dehydrated for automate updation ssl certs on hosts
- Create new user for handle letsencrypt ssl certs
sudo adduser --system --home /opt/dehydrated dehydrated
1.1 Add user to group www-data if your nginx work from this user, or doing the same for your nginx user
usermod -a -G www-data dehydrated
- Login on new user
sudo -u dehydrated -s
- Clone repo to home directory
git clone https://github.com/lukas2511/dehydrated
- Create folder in
/var/www/
mkdir /var/www/dehydrated with rights drwxrwx---
chown dehydrated:www-data /var/www/dehydrated
- Add email info to
configfile
echo CONTACT_EMAIL="your@email.com" > /opt/dehydrated/dehydrated/config
- Add domain name to domains file
domain.txtfor exampleexample.com
echo "example.com" >> /opt/dehydrated/dehydrated/domains.txt
- In nginx settings
nginx.confadd next strings:
7.1 Add all request redirect to 443 port besides one uri for validation letsencrypt certs
server {
listen 80;
server_name example.com;
root /var/www/dehydrated;
location / {
return 301 https://getweekend.octweb.ru$request_uri;
}
location /.well-known/acme-challenge {
allow all;
alias /var/www/dehydrated;
}
}
7.2 Add ssl setting in under server scopes on 443 port:
server {
listen 443 ssl;
server_name example.com www.example.com;
# If it's first generate certs you would be able to comment this strings and after generated new cetificate uncoment their
# ssl_certificate /opt/dehydrated/dehydrated/certs/example.com/fullchain.pem;
# ssl_certificate_key /opt/dehydrated/dehydrated/certs/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
### Other settings
- If all do right you will run script
./dehydrated --cron
8.1 Output if all okey:
# INFO: Using main config file /opt/dehydrated/config
Processing getweekend.octweb.ru
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 19 08:48:59 2018 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for example.com...
+ Responding to challenge for example.com...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Using cached chain!
+ Done!
8.2
If you catch error you will see this in json format. Exapmle like that:
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://example.com/.well-known/acme-challenge/DO_-4wyfkK-5UcOZ8wLb5L"",
"status": 403
},
Check right for user www-data to RW access to folder /var/www/dehydrated
- After complite creating certificate you should add run script to cron new user for automate updadating in the future
9.1 Run cron:
crontab -e
9.2 Add line:
0 1 * * * /opt/dehydrated/dehydrated --cron