From 3d073769c78bd66b6dfbc921627e8572ee7cc8c9 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Thu, 19 May 2016 19:50:04 -0700 Subject: nginx: let's encrypt manual instructions Need to figure out how to automate this? --- roles/nginx/HOWTO_letsencrypt.txt | 63 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 roles/nginx/HOWTO_letsencrypt.txt diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt new file mode 100644 index 0000000..ada7075 --- /dev/null +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -0,0 +1,63 @@ + +### Let's Encrypt with nginx and Debian Jessie + +Client software is in jessie-backports, so: + + sudo apt-get install letsencrypt -t jessie-backports + +Need files to show up for each domain at: + + http:///.well-known/acme-challenge/ + +So create a global dir with: + + sudo mkdir -p /var/www/letsencrypt + sudo chown www-data:www-data /var/www/letsencrypt + +And to each domain's nginx config: + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } + +Don't forget to `nginx reload`. + +Then, for each separate certificate (all these domains will end up on the same +cert), do something like this: + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email webmaster@bnewbold.net \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.net -d www.bnewbold.net \ + -d goblin.bnewbold.net \ + -d know.bnewbold.net \ + -d static.bnewbold.net \ + -d git.bnewbold.net + +The above will yield a cert at the following path (presumably path has the +first domain name): + + /etc/letsencrypt/live/bnewbold.net/fullchain.pem + +Add a daily cronjob to do updates of these certs: + + # first check that updates work: sudo letsencrypt renew + sudo crontab -e + # add a line like: + @daily letsencrypt renew --quiet + +Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config. + + +To force https-only: + + location / { + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + } -- cgit v1.2.3