lets encrypt

free ssl certs for everyone!

with the webroot plugin, it's possible to use letsencrpyt with nginx

install certbot:

add this to /etc/apt/sources list to enable backports:

deb http://ftp.debian.org/debian jessie-backports main

apt-get update
apt-get install certbot -t jessie-backports

nginx vhost configs:

 # letsencrypt:
 location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       allow all;
 }

only adding ^~ /.well-known/ without default type results in a strange connection error!

run certbot:

you can integrate as many domains in one cert as you like:

certbot certonly --webroot  --agree-tos -w /var/www/example -d example.com -d www.example.com

Your new cert will be stored in /etc/letsencrypt/live/example.com/ - th active one is always in /live/

nginx vhost configs - part 2:

# ssl cert:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

automatic renewal:

use a nightly cronjob to renew the certs. nginx will only get reloaded here, if new certs were installed

43 5 * * * root /usr/bin/certbot renew –quiet –post-hook “service nginx reload” # [» /var/log/le-renew.log ]

howtos:

• https://bjornjohansen.no/lets-encrypt-for-nginx
• https://certbot.eff.org/#debianjessie-nginx