Hello I followed all steps and made it to the congratulations part. I now have 4 files saved at /etc/letsencrypt/live/DOMAIN/ called: cert.pem, chain.pem, fullchain.pem and privkey.pem.
When looking at my config file at /etc/nginx/sites-available/default I have these 2 lines: ssl_certificate cert.pem; ssl_certificate_key cert.key;
I do have the cert.pem file but what about the cert.key? I can’t seem to find it.
As you are using nginx, in ssl_certfile directive you should specify the fullchain.pem file (it includes your domain cert and the intermediate cert). And for ssl_certificate_key directive you should specify the privkey.pem file:
You should also suggest to set Cloudflares SSL mode at least to “Full SSL (Strict)” or (better) use keyless SSL. Because all other SSL options of Cloudflare are very flawed and always keep in mind that Cloudflare man-in-the-middles your “secure” connection.
If we have sites loading from more than 1 web root, how do we specify this in the command? do I have to generate a new cert for every site that loads from a different web root?
@sahsanu, not quite sure what I’m doing wrong here. when I run ./letsencrypt-auto, it asks me which sites I’d like to activate HTTPS for, I choose them, then it errors out with a similar error as I’ll post below.
Replace your email, your domain names and webroot path with the real ones and execute again the command. If you get no error you could remove the last parameter --dry-run and launch again the command (--dry-run option simulates all the process but doesn’t issue the certificate so you can check that all will work fine once you are ready).
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
@andrewjs18, the error is clear, the challenge can’t be accessed to verify your domain.
Put a simple test file in /path/to/document/root/for/sub.mysite.com/.well-known/acme-challenge/testfile and try to access it using your web browser http://sub.mysite.com/.well-known/acme-challenge/testfile. If you get the content of testfile all is ok, if you receive a 404 Not found something is wrong in your conf.
Also, re-check that you wrote the correct webroot-path for your sub.mysite.com domain when you executed the letsencrypt-auto command.
That would work, but letsencrypt renew is a better option since it’s smarter about which options it uses, when it actually renews the certificates, etc.
Just put it in a daily cronjob, test it once, and you should be good to go.