diff options
-rw-r--r-- | roles/nginx/HOWTO_letsencrypt.txt | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt new file mode 100644 index 0000000..ada7075 --- /dev/null +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -0,0 +1,63 @@ + +### Let's Encrypt with nginx and Debian Jessie + +Client software is in jessie-backports, so: + + sudo apt-get install letsencrypt -t jessie-backports + +Need files to show up for each domain at: + + http://<domain>/.well-known/acme-challenge/<somehash> + +So create a global dir with: + + sudo mkdir -p /var/www/letsencrypt + sudo chown www-data:www-data /var/www/letsencrypt + +And to each domain's nginx config: + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } + +Don't forget to `nginx reload`. + +Then, for each separate certificate (all these domains will end up on the same +cert), do something like this: + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email webmaster@bnewbold.net \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.net -d www.bnewbold.net \ + -d goblin.bnewbold.net \ + -d know.bnewbold.net \ + -d static.bnewbold.net \ + -d git.bnewbold.net + +The above will yield a cert at the following path (presumably path has the +first domain name): + + /etc/letsencrypt/live/bnewbold.net/fullchain.pem + +Add a daily cronjob to do updates of these certs: + + # first check that updates work: sudo letsencrypt renew + sudo crontab -e + # add a line like: + @daily letsencrypt renew --quiet + +Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config. + + +To force https-only: + + location / { + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + } |