roles/nginx/HOWTO_letsencrypt.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89


### Let's Encrypt with nginx and Debian Jessie

Client software is in jessie-backports, so:

    sudo apt-get install letsencrypt -t jessie-backports

Need files to show up for each domain at:

    http://<domain>/.well-known/acme-challenge/<somehash>

So create a global dir with:

    sudo mkdir -p /var/www/letsencrypt
    sudo chown www-data:www-data /var/www/letsencrypt

And to each domain's nginx config:

    # Let's Encrypt SSL Certs
    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
        autoindex off;
    }

Don't forget to `nginx reload`.

Then, for each separate certificate (all these domains will end up on the same
cert), do something like this:

    # Add --dry-run  to test...
    sudo letsencrypt certonly \
        --non-interactive \
        --agree-tos \
        --email webmaster@bnewbold.net \
        --webroot -w /var/www/letsencrypt \
                                -d bnewbold.net -d www.bnewbold.net \
                                -d goblin.bnewbold.net \
                                -d know.bnewbold.net \
                                -d static.bnewbold.net \
                                -d git.bnewbold.net

    sudo certbot certonly \
        --non-interactive \
        --agree-tos \
        --email webmaster@robocracy.org \
        --webroot -w /var/www/letsencrypt \
                                -d robocracy.org -d www.robocracy.org \
                                -d adze.robocracy.org \
                                -d dav.robocracy.org \
                                -d pad.robocracy.org \
                                -d pierre-menard.robocracy.org --expand

    sudo letsencrypt certonly \
        --non-interactive \
        --agree-tos \
        --email bnewbold@the-nsa.org \
        --webroot -w /var/www/letsencrypt \
                                -d bnewbold.the-nsa.org \
                                -d files.bnewbold.the-nsa.org \
                                -d hashbase.bnewbold.the-nsa.org \
                                -d modelthing.the-nsa.org \
                                -d obscurity.bnewbold.the-nsa.org \
                                -d repro.bnewbold.the-nsa.org \
                                -d perf.bnewbold.the-nsa.org --expand

        # formerly: very-flat.com

The above will yield a cert at the following path (presumably path has the
first domain name):

    /etc/letsencrypt/live/bnewbold.net/fullchain.pem

Add a daily cronjob to do updates of these certs:

    # first check that updates work: sudo letsencrypt renew
    sudo crontab -e
    # add a line like:
    @daily letsencrypt renew --quiet

Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config.


To force https-only:

    location / {
        if ($scheme = http) {
            return 301 https://$server_name$request_uri;
        }
    }