Let’s Encrypt with NGINX (Ajenti)

letsencrypt-logo-horizontal

Encryption is a bad word, at least for everybody connected to any kind of government agency regarding collecting data from the vast majority of their people.
The project Let’s Encrypt is a service to make certificates available for free for everybody.

This manual is intended to help you creating and installing SSL-certificate(s) on your machine really easy.

Base components:

Get letsencrypt.sh

letsencrypt.sh

Create config stuff:

  1. Configuration directory
  2. WELLKNOWN directory (served via HTTP) to verify the authenticity of your request (or you in charge of this domain)
  3. Copy default configurations and domains
mkdir -p /etc/letsencrypt.sh
mkdir -p /var/www/letsencrypt.sh/
chown www-data:www-data /var/www/letsencrypt.sh
cp letsencrypt.sh/docs/examples/config /etc/letsencrypt.sh/config
cp letsencrypt.sh/docs/examples/domains.txt /etc/letsencrypt.sh/domains.txt

Customize letsencrypt.sh

Edit /etc/letsencrypt.sh/config:

BASEDIR="/etc/letsencrypt.sh/"
WELLKNOWN="/var/www/letsencrypt.sh/"

Edit /etc/letsencrypt.sh/domain.txt:

# One domain per line
domain.com sub.domain.com
domain.net sub.domain.net

NGINX domain.conf:

In your NGINX domain configuration add the following to the server block:

location /.well-known/acme-challenge {
alias /var/www/letsencrypt.sh/;
}

Execute

./letsencrypt.sh -c (and probably add to your crontab)

NGINX domain.conf:

  • Add the certificate & key file path to the NGINX SSL configuration
    • /etc/letsencrypt.sh/certs/domain.com/cert.pem
    • /etc/letsencrypt.sh/certs/domain.com/fullchain.pem
    • /etc/letsencrypt.sh/certs/domain.com/privkey.pem
  • Add port 443 in your NGINX domain configuration

 

Important: Let’s Encrypt CA issues short-lived certificates (90 days) so don’t forget to renew manually or automtically before they expire!

 

UPDATE 2016-06-02

  • letsencrypt.sh changed naming convention from config.sh to simply config
  • 1st attempt came back with an error from letsencrypt: Error creating new authz
  • 2nd attempt went well (see this thread for further information)
  • Symlinks for cert-files are updated correctly (on an earlier version this didn’t work for me)

Let’s Encrypt project

3 Comments

    1. hoot

      Hi @Tai!
      Sorry it took me so long to respond. Hope you could fix this before my reply. If not, here’s what I would do.
      I haven’t tested it, but I suggest you add it to your root’s crontab: crontab -e and run it for example every month: 0 0 1 * * /path/to/letsencrypt.sh

Leave a Reply

Your email address will not be published. Required fields are marked *