blob: bf9d0d7a557b81ead00a3f0ef9797ed38e55de67 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
### Let's Encrypt with nginx and Debian Jessie
Client software is in jessie-backports, so:
sudo apt-get install letsencrypt -t jessie-backports
Need files to show up for each domain at:
http://<domain>/.well-known/acme-challenge/<somehash>
So create a global dir with:
sudo mkdir -p /var/www/letsencrypt
sudo chown www-data:www-data /var/www/letsencrypt
And to each domain's nginx config:
# Let's Encrypt SSL Certs
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
autoindex off;
}
Don't forget to `nginx reload`.
Then, for each separate certificate (all these domains will end up on the same
cert), do something like this:
# Add --dry-run to test...
sudo letsencrypt certonly \
--non-interactive \
--agree-tos \
--email webmaster@bnewbold.net \
--webroot -w /var/www/letsencrypt \
-d bnewbold.net -d www.bnewbold.net \
-d goblin.bnewbold.net \
-d know.bnewbold.net \
-d static.bnewbold.net \
-d git.bnewbold.net
sudo letsencrypt certonly \
--non-interactive \
--agree-tos \
--email bnewbold@the-nsa.org \
--webroot -w /var/www/letsencrypt \
-d bnewbold.the-nsa.org \
-d files.bnewbold.the-nsa.org \
-d hashbase.bnewbold.the-nsa.org \
-d modelthing.the-nsa.org \
-d obscurity.bnewbold.the-nsa.org \
-d repro.bnewbold.the-nsa.org \
-d perf.bnewbold.the-nsa.org --expand
# formerly: very-flat.com
The above will yield a cert at the following path (presumably path has the
first domain name):
/etc/letsencrypt/live/bnewbold.net/fullchain.pem
Add a daily cronjob to do updates of these certs:
# first check that updates work: sudo letsencrypt renew
sudo crontab -e
# add a line like:
@daily letsencrypt renew --quiet
Finally, add blocks like in HOWTO_new_site.txt to each domain's nginx config.
To force https-only:
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
|