Let's Encrypt webroot on NGINX

Posted: 2015-12-06 14:09:42 by Alasdair Keyes

Direct Link |

---

Like a number of people I've been looking forward to the release of Let's Encrypt, the free system to allow every one to get an SSL Certificate. It's now in open beta and can be used by all.

You can read how it works and how to get it setup here.

After some playing about I found the following setup good for my needs. My system is NGINX running on Debian Jessie.

Run the following with superuser access.

mkdir /var/le_root
chown www-data: /var/le_root
chmod 700 /var/le_root

Create /etc/nginx/snippets/lets_encrypt.conf with the following text

location /.well-known/acme-challenge/ {
    allow all;
    auth_basic off;
    root /var/le_root;
}

The allow all; and auth_basic off; is because some of my sites have IP or basic auth restrictions which I don't want taking effect on this folder as it'll stop Lets Encrypt validating the site.

In each website virtualhost config add the line

include snippets/lets_encrypt.conf;

This snippet aliases /.well-known/acme-challenge/ on any hosting space for the to /var/le_root, we can then tell Let's Encrypt to use /var/le_root for all its validation files so with one command, create certs for any site I have on my server

Then just run

./letsencrypt-auto certonly --webroot -w /var/le_root -d mydomain.com

And your cert/key will be available in /etc/letsencrypt/live/mydomain.com/

The Let's Encrypt certs only last 90 days, whilst this may increase in future, I've added it to my Nagios checks, however, you can also use the following bash script in a cron to check the expiry dates of your certificates. It's easily ammended to auto renew certificates if you wish, I'll update it to auto-renew once I've had to renew one of my own certs.

https://gitlab.com/snippets/1731323/raw

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz