This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in /root/letsencrypt
.
As it is not possible to change the ports used for the standalone
authenticator and I already have a nginx running on port 80/443, I opted to use the webroot
method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com
and example.com
).
For this, I placed config files into etc/letsencrypt/configs
, named after <domain>.conf
. The files are simple:
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked with one domain for me,
# another one only got one cert, so I would recommend sepaate config files per domain.
domains = www.xrstf.de
# increase key size
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders, IIRC
email = someaddresslike-webmaster@xrstf.de
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
# LE fetch it
authenticator = webroot
webroot-path = /absolute/path/to/your/webroot/
To generate your first cert, open a shell and execute the letsencrypt-auto
script:
# cd /root/letsencrypt
# ./letsencrypt-auto --config /etc/letsencrypt/configs/mydomain.conf certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xrstf.de/fullchain.pem. Your cert will
expire on 2016-02-05. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Note the certonly
command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
Simply update your nginx sites to use the new certificate and private key:
server {
...
ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
...
}
That's it already.
I put a script in /etc/cron.monthly
:
#!/bin/sh
# create new certs
cd /root/letsencrypt
for conf in $(ls /etc/letsencrypt/configs/*.conf); do
./letsencrypt-auto --renew --config "$conf" certonly
done
# make sure nginx picks them up
service nginx restart
And now I get new certs on the first of every month. Done.
Simply put new config files into /etc/letsencrypt/configs
and run the command mentioned above once to get the initial cert.
@yves-s I had the same problem as you.
It turns out privilege issues.
What if the Nginx service was run by user "www-data", and this user "www-data" had no privilege to run the "bash" command.
If we run the cron script on user "root", it will return a 403 error (forbidden). Usually we set user to be ''www-data' in ubuntu destros.
Do you know how to solve it?
B.T.W. I solved it by a lame way that I temporarily set
user root;
in/etc/nginx/nginx.conf
to let nginx run in root and it can visit folder.well-known/acme-challenge/
this folder was created by the python scriptletsencrypt-auto
and deleted on the fly. It worked but it was lame.The thing is that we need a user
www-data
to run the Python scriptletsencrypt-auto
.