Ok so, maybe this will shed some light for others. I did try and use the documentation provided, but what confused the hell out of me was the naming convention. Now I am not a sysadmin, rather a developer “sysadmin-light”. I tried setting up the VHOST as suggested, but it just didn’t want to access that file. I watched the folder and they were being generated in there, and NGINX was serving them, but it just didn’t want to auth.
So I went back and I redid everything. This is what worked for me, using my example domain of “www.allroundtraders.co.za”
1. Clone into the “letsencrypt” repo as per docs
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --server \
https://acme-v01.api.letsencrypt.org/directory --help
2. Stop NGINX and run the standalone verification server, ok so not ideal but it worked. Follow the prompts
service nginx stop
./letsencrypt-auto certonly \
-a standalone \
-d www.allroundtraders.co.za \
-d allroundtraders.co.za \
--server https://acme-v01.api.letsencrypt.org/directory \
--agree-dev-preview
NOTE I noticed that when you run the above command it does indeed create the directory called “/etc/letsencrypt/live/www.allroundtraders.co.za/”, but if you have multiple domains in 1 request, the directory will be called after the first domain in the command.
IE: If I had “-d thatguy.co.za -d www.thatguy.co.za -d allroundtraders.co.za -d www.allroundtraders” Then it creates 1 cert containing all the domains as an alias, but it would be in the “/etc/letsencrypt/live/thatguy.co.za/”. It’s just something to keep in mind, keep the order in which you specify your multiple domains the same. Otherwise you will need to update all the certificate references in NGINX.
3. Start NGINX again
service nginx start
Now what got me confused was the naming convention of the key, cert and chain. After this succeeds, a fresh set of certs and keys are generated. Hazaaaa:
root@TheDirector:/ # ls /etc/letsencrypt/live/www.allroundtraders.co.za/
cert.pem chain.pem fullchain.pem privkey.pem
root@TheDirector:/ #
Note the cert.pem
is what others may be familiar with as server.crt
, the privkey.pem
would then be what some are used to seeying as server.key
. And then the chain.pem
if you do SSL stapling, which you should. Would be the entire cert chain.
Now these are merely symlinks, which point to the new certs and keys as they get renewed / issued. This means that NGINX only needs point to these files ever. And will automatically point to the most current certificate set. Pretty cool guys!
4. Update NGINX VHOST as needed
Now you will need to update your NGINX VHOST to point to this cert set. This is what mine looks like, keep in mind that I reverse proxy to other servers, but the important part to note is the SSL specific parts:
# NON-SSL
server {
server_name allroundtraders.co.za www.allroundtraders.co.za img.allroundtraders.co.za;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
# SSL
server {
listen 443;
server_name allroundtraders.co.za www.allroundtraders.co.za img.allroundtraders.co.za;
ssl on;
ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.allroundtraders.co.za/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location ~* /\.\./ {
deny all;
return 404;
}
location / {
proxy_pass http://app_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
NOTE: Remember to run nginx -t
to test your NGINX config, before assuming everything you did is valid. It’s pretty good at pointing out mistakes.
Like I mentioned, I am a developer by trade, not a sysadmin. Rather a sysadmin-light, so if I am wrong in my statements above please feel free to correct me and help others by doing so.
So far I am pretty impressed guys! So close indeed!