LetsEncrypt

From Gcom-Wiki
Jump to: navigation, search

Simple example how to get and use a letsencrypt certificate for nginx. In this sample we don't use any integration or server plugin.

Get a Cert: /etc/letsencrypt/cert-domain.tld

certbot certonly \
    --standalone \
    --pre-hook "systemctl stop nginx" \
    --post-hook "systemctl start  nginx" \
    --email $mail@domain.tld \
    -d domain.tld

Cronjob: /etc/cron.d/certbot

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

10 10 * * 4 root /etc/letsencrypt/renew-certs

Renew-Script: /etc/letsencrypt/renew

#!/bin/bash
#
# Copyright 2016 Alf Gaida <agaida@siduction.org>
# License: WTFPL-2
#
# This work is free. You can redistribute it and/or modify it under the
# terms of the Do What The Fuck You Want To Public License, Version 2,
# as published by Sam Hocevar. See http://www.wtfpl.net/ for more details.

echo "" >> /etc/letsencrypt/certbot.log
echo "" >> /etc/letsencrypt/certbot.log
echo "---------------------------------" >> /etc/letsencrypt/certbot.log
echo "| $(date) |"                       >> /etc/letsencrypt/certbot.log
echo "---------------------------------" >> /etc/letsencrypt/certbot.log
certbot renew \
    --pre-hook "systemctl stop nginx" \
    --post-hook "systemctl start  nginx" \
    >> /etc/letsencrypt/certbot.log

Integration in Nginx

https redirections

Please be aware of the fact that ssl redirections need a valid key in their rules!

server {
    listen [<ipaddr>:]443 ssl;
    server_name www.domain.tld;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    return 301 https://domain.tld$request_uri;
}

VHost

server {
    listen      [<ipaddr>:]443 ssl;
    server_name domain.tld;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    access_log  /var/log/nginx/domain.tld-access.log combined;
    error_log   /var/log/nginx/domain.tld-error.log error;

...