Let's encrypt
Requirements
| Software | Version |
|---|---|
| Ubuntu | 16.04 |
| Nginx | 1.10 |
Installation
_$: sudo apt install letsencrypt
Prepare the web server
We have a web server for the domain example.com.
The path for that web is /var/www/example-com.
Create a new directory for letsencrypt:
_$: mkdir /var/www/example-com/letsencrypt
Let’s encrypt will place a file in /var/www/example-com/letsencrypt, so it must be publicly accesible. You can place a small index.html file in there to see if it is actually publicly accesible.
/var/www/example-com/letsencrypt/index.html:
--------------------------------------------
<!DOCTYPE html>
<html>
<head>
<title>example.com</title>
</head>
<body>
<h1>Let's Encrypt</h1>
</body>
</html>
Go to http://example.com/letsencrypt/index.html and see if you see the contents of the HTML file we just created.
Let’s Encrypt will also create a directory called .well-known inside /var/www/example/letsencrypt, so we must do the same check. The easiest way is to create another index.html file in that directory.
/var/www/example-com/letsencrypt/.well-known/index.html:
--------------------------------------------------------
<!DOCTYPE html>
<html>
<head>
<title>example.com</title>
</head>
<body>
<h1>Let's Encrypt Well-known</h1>
</body>
</html>
Go to http://example.com/letsencrypt/.well-known/index.html and see if you see the contents of the HTML file.
Example: Configure Nginx server to receive a Let’s Encrypt certificate
A possible configuration valid for Nginx that will allow you to install Let’s Encrypt is:
server {
server_name example.com;
listen 80;
root /var/www/example-com;
# Configuration
# ...
# Let's Encrypt
location /letsencrypt/ {
alias /var/www/example-com/letsencrypt/;
}
location /.well-known/ {
alias /var/www/example-com/letsencrypt/.well-known/;
}
}
Note: After having got your certificate, comment that section out.
Get a certificate
_$: sudo letsencrypt certonly --webroot -w /var/www/example/letsencrypt -d example.com
During the installation wizard you will have to enter an email address:
Enter email address (used for urgent notices and lost key recovery): email@example.com
And read the terms of service:
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
When it finishes, it will place your certificate at /etc/letsencrypt/live/example.com/fullchain.pem
Check
You can check the certificate you just created with the following command:
_$: openssl x509 -text -noout -in /etc/letsencrypt/live/example.com/fullchain.pem
Renew a certificate
You can test automatic renewal for your certificates by running this command:
_$: sudo letsencrypt renew --dry-run --agree-tos
If that goes well, create a cron task to run twice a day the following command:
letsencrypt renew
Use your shiny new certificate
Create some links to make it easier for nginx to be configured:
_$: cd /etc/nginx
_$: mkdir ssl
_$: ln -s /etc/letsencrypt/live/example.com/privkey.pem ./ssl/example.key
_$: ln -s /etc/letsencrypt/live/example.com/fullchain.pem ./ssl/example.pem
server {
server_name example.com;
root /var/www/example-com;
listen 80;
# Configuration
include conf.d/example-com;
}
server {
server_name example.com;
root /var/www/example-com;
# SSL
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/example.key;
ssl_certificate_key /etc/nginx/ssl/example.pem;
# Configuration
include conf.d/example-com;
}