sudo su - root # NOTE: This has to be run as root. Be very careful!
cd /usr/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
Add the following to your nginx server configuration block vim sites-enabled/yourdomain.com
location ^~ /.well-known/ {
root /usr/share/nginx/html;
}
Add folder for well known mkdir -p /usr/share/nginx/html
Create mkdir -p /etc/letsencrypt && vim /etc/letsencrypt/cli.ini
and add the following template. Make sure to change domains, email, etc options.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
# email = foo@example.com
# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
authenticator = webroot
webroot-path = /usr/share/nginx/html
Test by running certbot-auto certonly -c /etc/letsencrypt/cli.ini
If everything goes well you should see:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
"/etc/letsencrypt/live/example.com/fullchain.pem". Your cert will
expire on 2016-10-27. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to deploy@slatedev.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Lets Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now add the certs to your nginx server block and your site will be encrypted. vim /opt/nginx/conf/sites-enabled/yourdomain.com
server {
listen 80;
server_name .example.com;
#server_name _; # to match all domains on port 80.
location / {
return 301 https://$host$request_uri;
}
location ^~ /.well-known/ {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
add_header Strict-Transport-Security "max-age=31536000";
}
Run certbot-auto renew --dry-run
to test that renewals work.
If successful then run crontab -e
and add:
13 22 * * * /usr/sbin/certbot-auto renew --quiet --no-self-upgrade
15 22 * * * service nginx restart
Now your server will check if it needs new certs once a day.