Certificate for nginx


#1

Hi,

May i know, when can we expect therelease of letsencrypt to support nginx?


#2

Instantly? You can generate pem keys that can be used with nginx
Read up on this over here: https://letsencrypt.org/howitworks/


#3

We are hoping for more automated Nginx integration, on the level of our Apache integration (so that certificates can be automatically installed and automatically renewed). Unfortunately this feature is broken right now, although Python developers who are Nginx users are welcome to jump in and try to help us fix it!

As @Sava says, if you are willing to take responsibility for installing the cert and for renewing it when it expires, you can indeed use the client now to get certificates that will work perfectly in Nginx (and other web servers). One thing to know is that the file fullchain.pem has the combined certificate and chain, which is what Nginx wants.


#4

@Sava @schoen thank you.


#5

At the moment, we believe that the nginx plugin has bugs that can break people’s setups, so it isn’t active by default. The known issues with nginx are here; nobody has done triage to determine exactly which subset of them would be sufficient for activating the nginx plugin as part of letsencrypt-auto.


#6

@schoen

could you please let me know the configuration to use the fullchain.pem in nginx.?

i tried, it was giving me error.
SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/****/fullchain.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)


#7

using fullchain.pem is just linking to it for nginx ssl_certificate path. This is what I do for my custom Centmin Mod Nginx stack at https://community.centminmod.com/posts/19325/

server {
  listen 443 ssl http2;
  server_name le1.http2ssl.xyz www.le1.http2ssl.xyz;

  ssl_dhparam /usr/local/nginx/conf/ssl/le1.http2ssl.xyz/dhparam.pem;
  ssl_certificate      /etc/letsencrypt/live/le1.http2ssl.xyz/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/le1.http2ssl.xyz/privkey.pem;
  include /usr/local/nginx/conf/ssl_include.conf;

#8

thanks eva for the answer.


#9

I have a guide here that scores an A on ssl labs


#10

Is there an update on this. I’m considering whether I should continue waiting or use RapidSSL.


#11

For most people with nginx, the webroot plugin is a good (and more stable) way to get a cert right now.

If you really really want a cert installer, or you can’t use the nginx plugin due to proxy-pass entries, the nginx plugin is available for experimental use right now (follow the developer instructions to run it), but make sure you back up your configuration, and do not run it on mission critical systems. It could possibly explode, corrupt your config, etc.

Also, please send us pull requests for nginx github tickets : )