62°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Setting up HTTPS with Letsencrypt.org

    December 7, 2015

    I use nginx to serve my HTTPS domains, and Letsencrypt support for nginx is still in beta. I also have a relatively specialized nginx config setup so I don't want any automated script messing with those files. Below are the steps I took to use the letsencrypt tool to generate and automatically renew a certificate for a domain.

    Photo by Jānis Puriņš
    $ git clone https://github.com/letsencrypt/letsencrypt
    $ cd letsencrypt
    $ ./letsencrypt-auto --help

    This installs the tool as well as a number of dependencies. After it's done, the letsencrypt-auto command is available. I installed this in my home folder.

    The tool expects to be able to write the challenge file to disk and that it will be accessible at example.com/.well-known/acme-challenge/*. The first step to getting the process working was setting up an nginx server block for each http domain.

    server {
      listen *:80;
      server_name aaronpk.com example.com;
    
      location /.well-known/acme-challenge {
        default_type "text/plain";
        root /tmp/letsencrypt;
      }
    
      location / {
        return 301 https://$http_host$request_uri;
      }
    }

    This configures nginx to serve the /.well-known/acme-challenge/ path from a folder on disk, and will redirect any other requests to the https version of the domain.

    Now we can run the script that will request the cert and respond to the challenge.

    ~/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/tmp/letsencrypt -d aaronpk.com

    If you want to generate a certificate that contains multiple domains, you can add more -d example.com parameters to the command. Alternately, you can run the command for each domain separately to generate separate certificates.

    This tells the script to request the cert and write the challenge to disk, and prefills the domain name it's requesting. If everything goes well, you should see:

     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/aaronpk.com/fullchain.pem. Your cert will
       expire on 2016-03-06. To obtain a new version of the certificate in
       the future, simply run Let's Encrypt again.

    Now we can set up the virtual host block which serves the certificate!

    server {
      listen *:443 ssl;
      server_name aaronpk.com;
    
      ssl                   on;
      ssl_certificate       /etc/letsencrypt/live/aaronpk.com/fullchain.pem;
      ssl_certificate_key   /etc/letsencrypt/live/aaronpk.com/privkey.pem;
    
      # your normal config stuff goes here
    }

    (Note that I deliberately left out the other ssl config options from this example, since it's possible to configure them at the top-level nginx config. See indiewebcamp.com/nginx for more details on configuring nginx with https.)

    Now that the two configuration blocks are in place, renewal of the certificate can be automated by running the same command with --renew.

    ~/letsencrypt/letsencrypt-auto --renew certonly -a webroot --webroot-path=/web/sites/aaronpk.com/letsencrypt -d aaronpk.com
    sudo /opt/nginx/sbin/nginx -s reload
    Mon, Dec 7, 2015 9:59am -08:00 #https #ssl #letsencrypt #indieweb
    10 likes 5 reposts 2 replies 3 mentions
    • Muhammad Ghazali
    • Arlo James Barnes
    • dansickles
    • Arnaud Ferrand
    • Ben Werdmüller
    • BNVK
    • Joschi Kuphal 吉
    • Golden Unicorn
    • mattl
    • Eric Eggert
    • Tobi Lehman
    • Scott Jordan
    • Jason Garber
    • Jamey Sharp
    • jdenλ
    • Michal Young www.facebook.com/10205055929256030
      Timely ... I'm using the built-in flask server for things I should *really* be using with https on gunicorn or nginx. Maybe I can learn from how you did it.
      Mon, Dec 7, 2015 6:38pm +00:00 (via brid-gy.appspot.com)
    • mattl mat.tl
      @aaronpk Looking at this tomorrow on a bunch of Debian + Apache boxes.
      Mon, Dec 7, 2015 6:28pm +00:00 (via brid-gy.appspot.com)

    Other Mentions

    • Aaron Parecki aaronparecki.com
      Day 80: Replaced my HTTPS Certificates #100DaysOfIndieWeb
      Fri, Mar 10, 2017 6:09pm -08:00
    • Aaron Parecki aaronparecki.com
      Several Days of Server Migrations Later
      Tue, Apr 5, 2016 7:02pm -07:00
    • Aaron Parecki aaronparecki.com
      I wrote about my relatively painless process of getting an https cert using letsencrypt! http://aaronparecki.com/articles/2015/12/07/1/letsencrypt
      Mon, Dec 7, 2015 10:27am -08:00
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv