Managing Certs + Nginx


#1

Apologies if this is a newbish question, I’m hoping there is a simple way to get around a problem.

I’ve been playing with let’s encrypt and trying to come up with a simple / easy way to do the following:

  • Set up port 80 locations for letsencrypt challenge and manage redirects to port 443
  • Server on port 443 to use letsencrypt certs
  • Ability to not have to manage the above configs in tandem with the letsencrypt certs (i.e. no matter what, bring up the server on port 80, and bring up server on port 443 when available / on next nginx restart and everything is set up).

I confess, this is desirable just to simplify / be lazy.

At the moment I can’t seem to get around the fact that without the certs, nginx won’t start because the certs can’t be found, which means I can’t get the certs because the letsencrypt challenge will fail when trying to access my site.

Has anyone found a reasonable way of managing this, or will it be a case of writing a script to manage the dance of only enabling port 80 for the challenge, then get the certs, followed by enabling the 443 server?

Thanks,
Matt


#2

Is this part of some kind of automated deployment (ansible/chef/puppet/etc), or what’s the scenario in which you need to have a server block listen on 443 straight away, without having any certificates?

I can think of two options:

  • Use separate server blocks for http and https; initially only enable http (nginx on debian/ubuntu uses sites-available and sites-enabled for this - sites-enabled contains symlinks to sites-available. Only files in sites-enabled are loaded). Once letsencrypt ran successfully, create a symlink to the ssl server file in sites-available.
  • Use snakeoil certs initially (i.e. something self-signed), delete those files after starting nginx, run letsencrypt, reload nginx.

#3

Or generate your certs initially via standalone auth and then switch to webroot for future renewals to avoid taking down nginx.


#4

Ah, that’s what standalone is for

./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

tbh I had read it and didn’t follow what it was doing / why it was needed. Could this be used with a cli.ini and the rerun with the same command to renew the certs?