diff options
| author | bnewbold <bnewbold@robocracy.org> | 2016-05-19 19:50:04 -0700 |
|---|---|---|
| committer | bnewbold <bnewbold@robocracy.org> | 2016-05-19 19:50:08 -0700 |
| commit | 3d073769c78bd66b6dfbc921627e8572ee7cc8c9 (patch) | |
| tree | fd617ea0304c10c3408bf6713a0fd889343b4448 /roles/nginx | |
| parent | 95e10bb4c0d69a21dc7fc4179a268fbd824f3bbf (diff) | |
| download | infra-3d073769c78bd66b6dfbc921627e8572ee7cc8c9.tar.gz infra-3d073769c78bd66b6dfbc921627e8572ee7cc8c9.zip | |
nginx: let's encrypt manual instructions
Need to figure out how to automate this?
Diffstat (limited to 'roles/nginx')
| -rw-r--r-- | roles/nginx/HOWTO_letsencrypt.txt | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt new file mode 100644 index 0000000..ada7075 --- /dev/null +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -0,0 +1,63 @@ + +### Let's Encrypt with nginx and Debian Jessie + +Client software is in jessie-backports, so: + + sudo apt-get install letsencrypt -t jessie-backports + +Need files to show up for each domain at: + + http://<domain>/.well-known/acme-challenge/<somehash> + +So create a global dir with: + + sudo mkdir -p /var/www/letsencrypt + sudo chown www-data:www-data /var/www/letsencrypt + +And to each domain's nginx config: + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } + +Don't forget to `nginx reload`. + +Then, for each separate certificate (all these domains will end up on the same +cert), do something like this: + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email webmaster@bnewbold.net \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.net -d www.bnewbold.net \ + -d goblin.bnewbold.net \ + -d know.bnewbold.net \ + -d static.bnewbold.net \ + -d git.bnewbold.net + +The above will yield a cert at the following path (presumably path has the +first domain name): + + /etc/letsencrypt/live/bnewbold.net/fullchain.pem + +Add a daily cronjob to do updates of these certs: + + # first check that updates work: sudo letsencrypt renew + sudo crontab -e + # add a line like: + @daily letsencrypt renew --quiet + +Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config. + + +To force https-only: + + location / { + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + } |