How to implement on 20+ sites / Nginx / Ubuntu

I’m brand new to Let’s Encrypt. Using Nginx on Ubuntu 16.04 LTS. I need to roll out an implementation that allows me to provide certificates for quite a few websites. At least 20. I’m using one IP address – is this possible?

  1. I’ve added the certbot repository (add-apt-repository ppa:certbot/certbot)
  2. Then did apt-get install python-certbot-nginx

So now I’m just trying to figure out the best way to do this. I don’t want to do an umbrella statement because there are some sites being added later.

Any help greatly appreciated!!!

I would search google as there are plenty of articles on how to use certbot with NGINX on Ubuntu

Andrei

Hi @outergain, you should have a lot of choice in how you use Let’s Encrypt certificates.

Most clients since Windows 98 have supported Server Name Indication (SNI), where the client tells the server what server name it’s intending to connect to before the server presents the certificate. Nginx and other web servers can use this information to decide which certificate to present to the client, in case there are several configured certificates that cover different domain names.

The most important thing for you to look at might be

https://letsencrypt.org/docs/rate-limits/

to ensure that you use Let’s Encrypt in a way that doesn’t run into any rate limits (for example when re-issuing certificates due to later-added sites).

When you run Certbot, you should be able to tell it with -d options which domains you want it to issue a certificate for at a given moment. There is also an optional --cert-name option which is useful when trying to replace a previously-issued certificate with a new one that may cover more or fewer domain names.

Hey @schoen, thanks for your reply. When I try to run:

./certbot-auto

In any shape or form, my system tells me it can’t be found. So I installed the packaged again, but it said everything was already there:

python-certbot-nginx is already the newest version (0.14.2-1+certbot+16.041).

How can I get certbot running on Ubuntu 16.04 LTS? When I go to the certbot site, it gives me a page of instructions, and I’ve followed those.

Hi @outergain,

Where did you find the ./certbot-auto command? That form is meant for people who don’t have an operating system package. :slight_smile: Since you do have an operating system package installed via apt-get, your command form is probably sudo certbot.

I just was following the guide at cerbot’s site.

However, since I replied to you I typed this:

certbot --nginx

That gave me a list of all the sites on my server, and asked me to pick the ones to obtain certificates for. Then it said this:

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for theatereleven.com
tls-sni-01 challenge for www.theatereleven.com
Waiting for verification…
Cleaning up challenges
Could not open file: /etc/nginx/sites-enabled/outergain.com
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/theatereleven.com for set([‘theatereleven.com’, ‘www.theatereleven.com’])
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/theatereleven.com for set([‘theatereleven.com’, ‘www.theatereleven.com’])
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size
nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size

Then is said this:

Please choose whether HTTPS access is required or optional.

1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): An unexpected error occurred:
error: (4, ‘Interrupted system call’)
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/theatereleven.com/fullchain.pem. Your cert
    will expire on 2017-10-11. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again with the
    "certonly" option. To non-interactively renew all of your
    certificates, run “certbot renew”
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Was it the guide at https://certbot.eff.org/#ubuntuxenial-nginx, or some other guide? This guide doesn’t seem to mention ./certbot-auto anywhere.

@SwartzCr, are you willing to take a look at these error messages? We might want to get Erica involved in terms of an exciting new possible Nginx integration problem (if Certbot in fact failed to reconfigure Nginx appropriately).

I’m willing to do anything. However, it looks like it did configure. I just toasted by WordPress site and restored it to the https url, and it seems to be working:

However, it says the SSL connection is not completely secure.

Here’s what is did to the NGINX server file:

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

Not a certificate or certificate configuration problem, but a mixed content problem. See

https://www.whynopadlock.com/

Yep, you’re right! Nice – Thank you.

I’m using Mautic on the site, and the optin form is requesting over non-secure. Cool - thanks. I think my final problem is, how can I force https in nginx? I’ve tried multiple changes in my server config file, and either nginx tanks on restart, or the site won’t load.

Here’s my nginx site config:

server {
	listen 80;
	listen [::]:80;

	root /var/www/theatereleven.com/public_html;
	access_log /var/www/theatereleven.com/logs/access.log;
        error_log /var/www/theatereleven.com/logs/error.log;
	index index.php index.html;

	server_name www.theatereleven.com theatereleven.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ /index.php?q=$uri&$args;
		#try_files $uri $uri/ =404;
	}

	location /content {
	try_files $uri $uri/ /content/?q=$uri&$args;
	}

	location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    listen 443 ssl; # managed by Certbot
		ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
		ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

		#makes browsers use TLS (SSL)
		add_header Strict-Transport-Security "max-age=31536000" always;


}

Got it working… I had some configuration mishaps going on. This worked:

server {
listen 80;
listen [::]:80;
server_name www.theatereleven.com theatereleven.com;
return 301 https://theatereleven.com$request_uri;
}

server {
root /var/www/theatereleven.com/public_html;
access_log /var/www/theatereleven.com/logs/access.log;
error_log /var/www/theatereleven.com/logs/error.log;
index index.php index.html;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?q=$uri&$args;
#try_files $uri $uri/ =404;
}

location /content {
try_files $uri $uri/ /content/?q=$uri&$args;
}

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/theatereleven.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/theatereleven.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  #makes browsers use TLS (SSL)
  add_header Strict-Transport-Security "max-age=31536000" always;

}

Thanks again @schoen

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.