I use nginx to serve my HTTPS domains, and Letsencrypt support for nginx is still in beta. I also have a relatively specialized nginx config setup so I don't want any automated script messing with those files. Below are the steps I took to use the letsencrypt tool to generate and automatically renew a certificate for a domain.
Photo by Jānis Puriņš$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --helpThis installs the tool as well as a number of dependencies. After it's done, the letsencrypt-auto command is available. I installed this in my home folder.
The tool expects to be able to write the challenge file to disk and that it will be accessible at example.com/.well-known/acme-challenge/*. The first step to getting the process working was setting up an nginx server block for each http domain.
server {
listen *:80;
server_name aaronpk.com example.com;
location /.well-known/acme-challenge {
default_type "text/plain";
root /tmp/letsencrypt;
}
location / {
return 301 https://$http_host$request_uri;
}
}This configures nginx to serve the /.well-known/acme-challenge/ path from a folder on disk, and will redirect any other requests to the https version of the domain.
Now we can run the script that will request the cert and respond to the challenge.
~/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/tmp/letsencrypt -d aaronpk.comIf you want to generate a certificate that contains multiple domains, you can add more -d example.com parameters to the command. Alternately, you can run the command for each domain separately to generate separate certificates.
This tells the script to request the cert and write the challenge to disk, and prefills the domain name it's requesting. If everything goes well, you should see:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/aaronpk.com/fullchain.pem. Your cert will
expire on 2016-03-06. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.Now we can set up the virtual host block which serves the certificate!
server {
listen *:443 ssl;
server_name aaronpk.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/aaronpk.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aaronpk.com/privkey.pem;
# your normal config stuff goes here
}(Note that I deliberately left out the other ssl config options from this example, since it's possible to configure them at the top-level nginx config. See indiewebcamp.com/nginx for more details on configuring nginx with https.)
Now that the two configuration blocks are in place, renewal of the certificate can be automated by running the same command with --renew.
~/letsencrypt/letsencrypt-auto --renew certonly -a webroot --webroot-path=/web/sites/aaronpk.com/letsencrypt -d aaronpk.com
sudo /opt/nginx/sbin/nginx -s reload
