For such a long time I’ve been using StartSSL certificates for my webs (and jabber….). But after all their affairs I lost my trust in them. And not only me – more and more companies nowadays revoking their CA from the list of approved and trusted CAs.
Also I’m lazy and always forget to renew the certificate so I was looking for solution that can auto-renew all certificates I need…
And last (but not least) reason why I wanted the change – it’s so popular now to use the Let’s Encrypt CA!
This little howto is written for my configuration. nginx running at Debian Jessie linux machine. Some parts will be different on different setups….
So let’s start
- Add the backports repository
|
1 |
echo “deb http://ftp.debian.org/debian jessie-backports main” >> /etc/apt/sources.list |
- Install certbot
This is the tool that can automatically connect to the CA, asks for new certificates and automatically store them in their place.
There are more options for this operation, but looks like this is recommended by Let’sEncrypt, it’s supereasy etc…
|
1 |
apt-get install certbot -t jessie-backports |
- Create the certificate with the certbot
|
1 |
certbot certonly –webroot -w /data/www/blog.lookash.net -d blog.lookash.net |
for nginx I need only certificates (so I’m using the certonly option). The rest will be configured manually
certonly –webroot
this option will only create certificates… nothing less/noting more
You can find them then at /etc/letsencrypt/ (few more sub-directories are created. The most important is /etc/letsencrypt/live where you can find all symlinks for your certificates separated by each webroot
-w
path to your website directory. In this directory the certbot will create “.well-known” directory
-d
domains = you can specify all alternative names for your domain here
- Update nginx configuration
nginx is not unfortunately not supporting any plugin you can use for automatic config changes. Well… In this moment there’s alpha version of this plugin – and I found it easier to change the config manually.
Actually in my case it was only changing the path from the old certificate to the new one.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
server { listen 80; server_name blog.lookash.net; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name blog.lookash.net; ssl on; ssl_certificate /etc/letsencrypt/live/blog.lookash.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/blog.lookash.net/privkey.pem; add_header Strict-Transport-Security “max-age=15768000; includeSubdomains; preload”; ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-A$ ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/ssl/dhparams.pem; |
With this setting I’m getting lovely A+ rating at SSL Server Test
- Of course you need to reload (or even better restart) the webserver..
|
1 |
systemctl reload nginx |
- And finally add the crontab record to update the certificate
In my case every 1st day of each month at 0:00
Also I added the nginx reload command. The new (renewed) certificate should be replaced even without reloading/restarting the webserver. So this is just to be sure….
|
1 2 |
0 0 1 * * certbot renew >> /var/log/certbot_renew.log 0 5 1 * * systemctl reload nginx |
Leave a Reply