diff options
Diffstat (limited to 'roles/nginx')
| -rw-r--r-- | roles/nginx/HOWTO_letsencrypt.txt | 63 | 
1 files changed, 63 insertions, 0 deletions
| diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt new file mode 100644 index 0000000..ada7075 --- /dev/null +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -0,0 +1,63 @@ + +### Let's Encrypt with nginx and Debian Jessie + +Client software is in jessie-backports, so: + +    sudo apt-get install letsencrypt -t jessie-backports + +Need files to show up for each domain at: + +    http://<domain>/.well-known/acme-challenge/<somehash> + +So create a global dir with: + +    sudo mkdir -p /var/www/letsencrypt +    sudo chown www-data:www-data /var/www/letsencrypt + +And to each domain's nginx config: + +    # Let's Encrypt SSL Certs +    location /.well-known/acme-challenge/ { +        root /var/www/letsencrypt; +        autoindex off; +    } + +Don't forget to `nginx reload`. + +Then, for each separate certificate (all these domains will end up on the same +cert), do something like this: + +    # Add --dry-run  to test... +    sudo letsencrypt certonly \ +        --non-interactive \ +        --agree-tos \ +        --email webmaster@bnewbold.net \ +        --webroot -w /var/www/letsencrypt \ +                                -d bnewbold.net -d www.bnewbold.net \ +                                -d goblin.bnewbold.net \ +                                -d know.bnewbold.net \ +                                -d static.bnewbold.net \ +                                -d git.bnewbold.net + +The above will yield a cert at the following path (presumably path has the +first domain name): + +    /etc/letsencrypt/live/bnewbold.net/fullchain.pem + +Add a daily cronjob to do updates of these certs: + +    # first check that updates work: sudo letsencrypt renew +    sudo crontab -e +    # add a line like: +    @daily letsencrypt renew --quiet + +Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config. + + +To force https-only: + +    location / { +        if ($scheme = http) { +            return 301 https://$server_name$request_uri; +        } +    } | 
