From 3d073769c78bd66b6dfbc921627e8572ee7cc8c9 Mon Sep 17 00:00:00 2001
From: bnewbold <bnewbold@robocracy.org>
Date: Thu, 19 May 2016 19:50:04 -0700
Subject: nginx: let's encrypt manual instructions

Need to figure out how to automate this?
---
 roles/nginx/HOWTO_letsencrypt.txt | 63 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 roles/nginx/HOWTO_letsencrypt.txt

diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt
new file mode 100644
index 0000000..ada7075
--- /dev/null
+++ b/roles/nginx/HOWTO_letsencrypt.txt
@@ -0,0 +1,63 @@
+
+### Let's Encrypt with nginx and Debian Jessie
+
+Client software is in jessie-backports, so:
+
+    sudo apt-get install letsencrypt -t jessie-backports
+
+Need files to show up for each domain at:
+
+    http://<domain>/.well-known/acme-challenge/<somehash>
+
+So create a global dir with:
+
+    sudo mkdir -p /var/www/letsencrypt
+    sudo chown www-data:www-data /var/www/letsencrypt
+
+And to each domain's nginx config:
+
+    # Let's Encrypt SSL Certs
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        autoindex off;
+    }
+
+Don't forget to `nginx reload`.
+
+Then, for each separate certificate (all these domains will end up on the same
+cert), do something like this:
+
+    # Add --dry-run  to test...
+    sudo letsencrypt certonly \
+        --non-interactive \
+        --agree-tos \
+        --email webmaster@bnewbold.net \
+        --webroot -w /var/www/letsencrypt \
+                                -d bnewbold.net -d www.bnewbold.net \
+                                -d goblin.bnewbold.net \
+                                -d know.bnewbold.net \
+                                -d static.bnewbold.net \
+                                -d git.bnewbold.net
+
+The above will yield a cert at the following path (presumably path has the
+first domain name):
+
+    /etc/letsencrypt/live/bnewbold.net/fullchain.pem
+
+Add a daily cronjob to do updates of these certs:
+
+    # first check that updates work: sudo letsencrypt renew
+    sudo crontab -e
+    # add a line like:
+    @daily letsencrypt renew --quiet
+
+Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config.
+
+
+To force https-only:
+
+    location / {
+        if ($scheme = http) {
+            return 301 https://$server_name$request_uri;
+        }
+    }
-- 
cgit v1.2.3