aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorbnewbold <bnewbold@robocracy.org>2016-05-19 19:50:04 -0700
committerbnewbold <bnewbold@robocracy.org>2016-05-19 19:50:08 -0700
commit3d073769c78bd66b6dfbc921627e8572ee7cc8c9 (patch)
treefd617ea0304c10c3408bf6713a0fd889343b4448 /roles
parent95e10bb4c0d69a21dc7fc4179a268fbd824f3bbf (diff)
downloadinfra-3d073769c78bd66b6dfbc921627e8572ee7cc8c9.tar.gz
infra-3d073769c78bd66b6dfbc921627e8572ee7cc8c9.zip
nginx: let's encrypt manual instructions
Need to figure out how to automate this?
Diffstat (limited to 'roles')
-rw-r--r--roles/nginx/HOWTO_letsencrypt.txt63
1 files changed, 63 insertions, 0 deletions
diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt
new file mode 100644
index 0000000..ada7075
--- /dev/null
+++ b/roles/nginx/HOWTO_letsencrypt.txt
@@ -0,0 +1,63 @@
+
+### Let's Encrypt with nginx and Debian Jessie
+
+Client software is in jessie-backports, so:
+
+ sudo apt-get install letsencrypt -t jessie-backports
+
+Need files to show up for each domain at:
+
+ http://<domain>/.well-known/acme-challenge/<somehash>
+
+So create a global dir with:
+
+ sudo mkdir -p /var/www/letsencrypt
+ sudo chown www-data:www-data /var/www/letsencrypt
+
+And to each domain's nginx config:
+
+ # Let's Encrypt SSL Certs
+ location /.well-known/acme-challenge/ {
+ root /var/www/letsencrypt;
+ autoindex off;
+ }
+
+Don't forget to `nginx reload`.
+
+Then, for each separate certificate (all these domains will end up on the same
+cert), do something like this:
+
+ # Add --dry-run to test...
+ sudo letsencrypt certonly \
+ --non-interactive \
+ --agree-tos \
+ --email webmaster@bnewbold.net \
+ --webroot -w /var/www/letsencrypt \
+ -d bnewbold.net -d www.bnewbold.net \
+ -d goblin.bnewbold.net \
+ -d know.bnewbold.net \
+ -d static.bnewbold.net \
+ -d git.bnewbold.net
+
+The above will yield a cert at the following path (presumably path has the
+first domain name):
+
+ /etc/letsencrypt/live/bnewbold.net/fullchain.pem
+
+Add a daily cronjob to do updates of these certs:
+
+ # first check that updates work: sudo letsencrypt renew
+ sudo crontab -e
+ # add a line like:
+ @daily letsencrypt renew --quiet
+
+Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config.
+
+
+To force https-only:
+
+ location / {
+ if ($scheme = http) {
+ return 301 https://$server_name$request_uri;
+ }
+ }