free ssl certs for everyone!
with the webroot plugin, it's possible to use letsencrpyt with nginx
install certbot:
add this to /etc/apt/sources list to enable backports:
deb http://ftp.debian.org/debian jessie-backports main
apt-get update apt-get install certbot -t jessie-backports
nginx vhost configs:
# letsencrypt: location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; allow all; }
only adding ^~ /.well-known/ without default type results in a strange connection error!
run certbot:
you can integrate as many domains in one cert as you like:
certbot certonly --webroot --agree-tos -w /var/www/example -d example.com -d www.example.com
Your new cert will be stored in /etc/letsencrypt/live/example.com/ - th active one is always in /live/
nginx vhost configs - part 2:
# ssl cert: ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
automatic renewal:
use a nightly cronjob to renew the certs. nginx will only get reloaded here, if new certs were installed
43 5 * * * root /usr/bin/certbot renew –quiet –post-hook “service nginx reload” # [» /var/log/le-renew.log ]
howtos: