Skip to content

Latest commit

 

History

History
100 lines (74 loc) · 2.02 KB

Letsencrypt.md

File metadata and controls

100 lines (74 loc) · 2.02 KB

Let's Encrypt

Essential links

https://letsencrypt.org/

https://wiki.debian.org/LetsEncrypt

Debian installation

I recommend the certbot package

Debian stretch

Install from stretch-backports

$ sudo apt install -t stretch-backports certbot

Nginx manual setup

$ domain=www.example.com
$ sudo mkdir -p /srv/www/$domain
$ sudo vim /etc/nginx/sites-enabled/$domain

Modify the http (port 80) section - add location /.well-known/acme-challenge:

server {
    listen 80;
    server_name www.example.com;
    location / {
        ...
    }
    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /srv/www/www.example.com;
  }

$ sudo systemctl reload nginx.service

Now setup Let's Encrypt using the certbot client:

$ sudo certbot certonly -d $domain --webroot --webroot-path /srv/www/$domain
... answer all the questions and check the output at the end:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2019-02-25. ...

Enable the certificate in nginx configuration:

$ sudo vim /etc/nginx/sites-enabled/$domain

Add or modify the https (port 443) section:

server {
    listen 80;
    ...
}
server {
    listen 443;
    server_name www.example.com;
    ssl on;
    ssl_certificate     /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ...
}

And reload nginx:

$ sudo systemctl reload nginx.service

Links

github.com/messa/tips/Letsencrypt - Wildcard certificates.md