Certbot-auto and Nginx


#1

I recently installed nginx on a server that runs ubuntu 14.04.
After creating a nginx server I downloaded certbot-auto.

I ran certbot-auto and created a certificate for my domain.

To my surprise, the script didn’t behave the way I’m used to seeing it behave on apache: on apache, as the script runs it also configures the server. It creates a vhost for port 443, and sets up a redirect from within the already-existing vhost definition.

After I’d run the script for nginx, the server block definition was left untouched, and there was no configuration for a server to listen on port 443.

Is this the usual behaviour for certbot with nginx?
Is the expectation that the sysadmin set up the server configuration manually?


#2

There is a Certbot Nginx plugin, but it’s considered alpha code. I don’t know if it supports every feature that the Apache plugin does.

You can try it with “certbot --nginx”.

You can also continue maintaining your Nginx configuration by hand, of course.


#3

If you don’t run a lot of web sites, simply just stop nginx for a few seconds, then run certbot-auto with the --standalone option. Generate your certs and then restart nginx. Then manually configure your vhost with the certs. Takes all in all about 10-15 seconds of downtime. This only a temp measure, if you run lots of sites you need to configure your nginx sites to properly authenticate using the webroot / acme authorization.

Here’s a very simply nginx config for ssl, so you just make these changes yourself after you have your certs and then simply do a service nginx reload

server {
	# SSL configuration
	#
	listen 443 ssl http2;

	root /var/www/mywebsite.com;
	server_name mywebsite.com www.mywebsite.com;
	charset UTF-8;
	access_log /var/log/nginx/mywebsite.com-access.log;
	error_log /var/log/nginx/mywebsite.com-error.log;
	
	# First include our certificates and chain of trust
	ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/letsencrypt/live/mywebsite.com/chain.pem;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:128m;
	ssl_session_tickets off;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	ssl_stapling on;
	ssl_stapling_verify on;

}
server {
	listen 80;
	server_name mywebsite.com www.mywebsite.com;
        return 301 https://mywebsite.com$request_uri;
# END OF HTTP PORT 80 HOST CONFIG - CLOSING BRACE BELOW THIS LINE
}

#4

Right, we haven’t enabled this plugin by default because it’s still a bit experimental. This plugin does correspond to the Apache plugin in functionality, but users will have to ask for it explicitly the way you said. It will probably be featured automatically in a Certbot release soon.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.