I’m brand new to Let’s Encrypt. Using Nginx on Ubuntu 16.04 LTS. I need to roll out an implementation that allows me to provide certificates for quite a few websites. At least 20. I’m using one IP address – is this possible?
I’ve added the certbot repository (add-apt-repository ppa:certbot/certbot)
Then did apt-get install python-certbot-nginx
So now I’m just trying to figure out the best way to do this. I don’t want to do an umbrella statement because there are some sites being added later.
Hi @outergain, you should have a lot of choice in how you use Let’s Encrypt certificates.
Most clients since Windows 98 have supported Server Name Indication (SNI), where the client tells the server what server name it’s intending to connect to before the server presents the certificate. Nginx and other web servers can use this information to decide which certificate to present to the client, in case there are several configured certificates that cover different domain names.
The most important thing for you to look at might be
to ensure that you use Let’s Encrypt in a way that doesn’t run into any rate limits (for example when re-issuing certificates due to later-added sites).
When you run Certbot, you should be able to tell it with -d options which domains you want it to issue a certificate for at a given moment. There is also an optional --cert-name option which is useful when trying to replace a previously-issued certificate with a new one that may cover more or fewer domain names.
Where did you find the ./certbot-auto command? That form is meant for people who don’t have an operating system package. Since you do have an operating system package installed via apt-get, your command form is probably sudo certbot.
That gave me a list of all the sites on my server, and asked me to pick the ones to obtain certificates for. Then it said this:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for theatereleven.com
tls-sni-01 challenge for www.theatereleven.com
Waiting for verification...
Cleaning up challenges
Could not open file: /etc/nginx/sites-enabled/outergain.com
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/theatereleven.com for set(['theatereleven.com', 'www.theatereleven.com'])
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/theatereleven.com for set(['theatereleven.com', 'www.theatereleven.com'])
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
Then is said this:
Please choose whether HTTPS access is required or optional.
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): An unexpected error occurred:
error: (4, 'Interrupted system call')
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/theatereleven.com/fullchain.pem. Your cert
will expire on 2017-10-11. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew all of your
certificates, run "certbot renew"
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
@SwartzCr, are you willing to take a look at these error messages? We might want to get Erica involved in terms of an exciting new possible Nginx integration problem (if Certbot in fact failed to reconfigure Nginx appropriately).
I'm willing to do anything. However, it looks like it did configure. I just toasted by WordPress site and restored it to the https url, and it seems to be working:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
I’m using Mautic on the site, and the optin form is requesting over non-secure. Cool - thanks. I think my final problem is, how can I force https in nginx? I’ve tried multiple changes in my server config file, and either nginx tanks on restart, or the site won’t load.
Here’s my nginx site config:
server {
listen 80;
listen [::]:80;
root /var/www/theatereleven.com/public_html;
access_log /var/www/theatereleven.com/logs/access.log;
error_log /var/www/theatereleven.com/logs/error.log;
index index.php index.html;
server_name www.theatereleven.com theatereleven.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?q=$uri&$args;
#try_files $uri $uri/ =404;
}
location /content {
try_files $uri $uri/ /content/?q=$uri&$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#makes browsers use TLS (SSL)
add_header Strict-Transport-Security "max-age=31536000" always;
}
server {
root /var/www/theatereleven.com/public_html;
access_log /var/www/theatereleven.com/logs/access.log;
error_log /var/www/theatereleven.com/logs/error.log;
index index.php index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?q=$uri&$args; #try_files $uri $uri/ =404;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#makes browsers use TLS (SSL)
add_header Strict-Transport-Security "max-age=31536000" always;
Since you do have an operating system package installed via 