Let’sEncrypt (finally)

For such a long time I’ve been using StartSSL certificates for my webs (and jabber….). But after all their affairs I lost my trust in them. And not only me – more and more companies nowadays revoking their CA from the list of approved and trusted CAs.

Also I’m lazy and always forget to renew the certificate so I was looking for solution that can auto-renew all certificates I need…

And last (but not least) reason why I wanted the change – it’s so popular now to use the Let’s Encrypt CA!

This little howto is written for my configuration. nginx running at Debian Jessie linux machine. Some parts will be different on different setups….

So let’s start

  • Add the backports repository

  • Install certbot

This is the tool that can automatically connect to the CA, asks for new certificates and automatically store them in their place.
There are more options for this operation, but looks like this is recommended by Let’sEncrypt, it’s supereasy etc…

  • Create the certificate with the certbot

for nginx I need only certificates (so I’m using the certonly option). The rest will be configured manually
certonly –webroot
this option will only create certificates… nothing less/noting more
You can find them then at /etc/letsencrypt/ (few more sub-directories are created. The most important is /etc/letsencrypt/live where you can find all symlinks for your certificates separated by each webroot

-w
path to your website directory. In this directory the certbot will create “.well-known” directory
-d
domains = you can specify all alternative names for your domain here

  • Update nginx configuration

nginx is not unfortunately not supporting any plugin you can use for automatic config changes. Well… In this moment there’s alpha version of this plugin – and I found it easier to change the config manually.
Actually in my case it was only changing the path from the old certificate to the new one.

With this setting I’m getting lovely A+ rating at SSL Server Test

A+ result @ SSL Server Test

  • Of course you need to reload (or even better restart) the webserver..

  • And finally add the crontab record to update the certificate

In my case every 1st day of each month at 0:00
Also I added the nginx reload command. The new (renewed) certificate should be replaced even without reloading/restarting the webserver. So this is just to be sure….

 


Posted

in

, , ,

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *