This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in /root/letsencrypt
.
As it is not possible to change the ports used for the standalone
authenticator and I already have a nginx running on port 80/443, I opted to use the webroot
method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com
and example.com
).
For this, I placed config files into etc/letsencrypt/configs
, named after <domain>.conf
. The files are simple:
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked with one domain for me,
# another one only got one cert, so I would recommend sepaate config files per domain.
domains = www.xrstf.de
# increase key size
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders, IIRC
email = someaddresslike-webmaster@xrstf.de
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
# LE fetch it
authenticator = webroot
webroot-path = /absolute/path/to/your/webroot/
To generate your first cert, open a shell and execute the letsencrypt-auto
script:
# cd /root/letsencrypt
# ./letsencrypt-auto --config /etc/letsencrypt/configs/mydomain.conf certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xrstf.de/fullchain.pem. Your cert will
expire on 2016-02-05. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Note the certonly
command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
Simply update your nginx sites to use the new certificate and private key:
server {
...
ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
...
}
That's it already.
I put a script in /etc/cron.monthly
:
#!/bin/sh
# create new certs
cd /root/letsencrypt
for conf in $(ls /etc/letsencrypt/configs/*.conf); do
./letsencrypt-auto --renew --config "$conf" certonly
done
# make sure nginx picks them up
service nginx restart
And now I get new certs on the first of every month. Done.
Simply put new config files into /etc/letsencrypt/configs
and run the command mentioned above once to get the initial cert.
Great gist. Have a look at my setup for ubuntu 16.04 with LE including nginx config:
https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba