Isaac Sloan - Lets Encrypt Setup and Auto Renew (NGINX)
Banner700

Lets Encrypt Setup and Auto Renew (NGINX)

Installation and Setup

cd /usr/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto

Nginx Configuration

Add the following to your nginx server configuration block vim sites-enabled/yourdomain.com

  location ^~ /.well-known/ {
    root /usr/share/nginx/html;
  }

Add folder for well known mkdir -p /usr/share/nginx/html

LetsEncrypt Configuration

Create mkdir -p /etc/letsencrypt && vim /etc/letsencrypt/cli.ini and add the following template. Make sure to change domains, email, etc options.

# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
# email = foo@example.com

# Uncomment and update to generate certificates for the specified
# domains.
# domains = example.com, www.example.com

# Uncomment to use a text interface instead of ncurses
# text = True

authenticator = webroot
webroot-path = /usr/share/nginx/html

Test by running certbot-auto certonly -c /etc/letsencrypt/cli.ini

If everything goes well you should see:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   "/etc/letsencrypt/live/example.com/fullchain.pem". Your cert will
   expire on 2016-10-27. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to deploy@slatedev.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Lets Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now add the certs to your nginx server block and your site will be encrypted. vim /opt/nginx/conf/sites-enabled/yourdomain.com

server {
  listen         80;
  server_name    .example.com;
  #server_name _; # to match all domains on port 80.

  location / {
    return       301 https://$host$request_uri;
  }
  location ^~ /.well-known/ {
    root /usr/share/nginx/html;
  }
}

server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;
  add_header Strict-Transport-Security "max-age=31536000";
}

Auto Renew

comment out the domain line in /etc/letsencrypt/cli.ini and run certbot-auto renew --dry-run to test that renewals work.

If successful then run crontab -e and add:

13 22 * * * /usr/sbin/certbot-auto renew --quiet --no-self-upgrade
15 22 * * * service nginx restart

Now your server will check if it needs new certs once a day.

July 20, 2016
ubuntulinuxnginxsslhttpsletsencrypt
comments powered by Disqus