Sidebar
linux:webserver:lets_encrypt
lets encrypt
free ssl certs for everyone!
nginx
with the webroot plugin, it's possible to use letsencrpyt with nginx
install certbot:
add this to /etc/apt/sources list to enable backports:
deb http://ftp.debian.org/debian jessie-backports main
apt-get update apt-get install certbot -t jessie-backports
nginx vhost configs:
# letsencrypt:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
allow all;
}
only adding ^~ /.well-known/ without default type results in a strange connection error!
run certbot:
you can integrate as many domains in one cert as you like:
certbot certonly --webroot --agree-tos -w /var/www/example -d example.com -d www.example.com
Your new cert will be stored in /etc/letsencrypt/live/example.com/ - th active one is always in /live/
nginx vhost configs - part 2:
# ssl cert: ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
automatic renewal:
use a nightly cronjob to renew the certs. nginx will only get reloaded here, if new certs were installed
43 5 * * * root /usr/bin/certbot renew –quiet –post-hook “service nginx reload” # [» /var/log/le-renew.log ]
howtos:
linux/webserver/lets_encrypt.txt · Last modified: 2016/09/21 17:10 by tkilla
