Step-by-step tutorial?


#1

Dear Let’sEncrypt Community:

I was looking for a simple step-by-step instructions how to switch my website from http to https, assuming full server sudo ssh control. Googling for “letsencrypt nginx tutorial” yields only a digital ocean URL, https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 . unfortunately, this no longer works (on 17.04), and omits some typical use cases (e.g., subdomains). I can get it to work, but it would be nice if letsencrypt had a definitive guide itself. it’s too technical right now for uninformed website admins.

/iaw


#2

Hi @law4,

The closest that we have to this right now is what you’ll see if you go to

and select Nginx and Ubuntu 17.04. Then you will see

which gives you steps to follow using the --webroot method with certbot certonly.

Most recently we also offer --nginx, which may work for you! In the context of that tutorial, instead of

certbot certonly --standalone -d example.com -d www.example.com

you could use

certbot --nginx -d example.com -d www.example.com

This will attempt to obtain and install the certificate. (certonly obtains the certificate but does not install it in your Nginx configuration.) As this is a new feature, if you decide to try it, it would be great to get feedback about how well it worked for you.

I understand from @SwartzCr that DigitalOcean is eager to update their tutorials. So if you tell us what didn’t work in the DigitalOcean tutorial under 17.04, we can also pass that along to DigitalOcean and maybe they can then bring the existing tutorial up to date.


#3

thank you. by the way, if the goal is to increase penetration, may I suggest that the project distribute a shell script that does it all for the most common setups under the standard configuration?

# letsencrypt /etc/nginx/sites-available/mysite.conf --both|--httpsonly

the mysite.conf file has all the necessary information in it. this would probably save time in the long run, as it would reduce stupid questions from noobs such as me—and save them a lot of time, too. (can I donate $100 to the letsencrypt project to helpmake this particular thing happen?)

regards,

/iaw


#4

hi @iaw4

From reading the forums there is no standardized linux configuration so releasing a standardized script is ultimately useless (in my opinion)

It’s a chicken or the egg argument but ultimately education is the key

Until web administrators become confident in how their systems work and are able to tailor the script all that will happen is more help request

review the number of people that struggle with the Apache TLS-SNI challenge (which should work in similar lines to what you describe but keeps “breaking” due to peoples skills)

Just my 5 cents

Andrei


#5

Amusingly, Certbot itself is sort of meant to be this…

If you run certbot --nginx, it should be able to find your Nginx configuration and then get and install certificates for it… hopefully. :slight_smile: In the future, it may potentially be made to try by default to autodetect either Apache or Nginx and then get and install certificates for available sites in either.

I appreciate the offer but, sad to say, professionally-paid software development is more expensive than that these days… if reckoned in terms of developer salaries, I’m pretty sure each new feature added to Certbot has far outpaced $100.

However, we welcome contributions of both code and money, which can help improve all sorts of things over time.

https://letsencrypt.org/donate/



https://github.com/certbot

If you do want to pay an outside developer to implement your ideal vision, I’m sure we’ll be happy either to incorporate the code into our own projects or at least mention its availability here on the forums.


#6

yes, $100 is a small contribution from one person, who is not even sure if he is able to make it work. if you get a few hundred like me…

what about a script that integrates only with new default vanilla nginx and apache installs on ubuntu, fedora, and maybe one or two other standards? the script would build its own full sites-available/…conf file?

# letsencrypt -nginx [/etc/nginx/sites-available/]mysite.conf [/var/www/]mysite/

if letsencrypt builds the full conf file itself, then there is almost no uncertainty what you are dealing with. for the end user, starting from a configuration that works for sure and that one can extend later could make it easier on both ends ?!

I shudder to think what the letsencrypt installation was before certbot :wink:

it’s just a suggestion. I hope I am not appearing ungrateful. Thanks for doing this.

regards,

/iaw


#7

It was impossible, because Certbot was the first-ever ACME client. :slight_smile:

What I would like to see is more web servers doing something like what Caddy has done.

https://caddyserver.com/

If we had official integration from the various servers, they could potentially make it more reliable and convenient—like Caddy does—because they know their own configuration environments. (Though I realize this is easier when starting from scratch rather than when dealing with an existing installed base of servers and sysadmins.)


#8

yes. why wouldn’t nginx and apache2 flock to you??? sigh…

/iaw


#9

The problem with a good step-by-step guide is that is not quite “one size fits all” thing. There are multitudes of configurations out there, the installation process might behave differently with the change of version in any of the components, etc. It is practically impossible to have the guide which would cover all the cases and would always be up to date, especially the guides on third-party resources. Some guides actually might list steps which, if followed, would cause more problems and questions.

I believe Let’s Encrypt in this case is moving in the right direction - certbot usage is rather well described and it will try to handle most of the configurations automatically. And if it can’t, there’s this community support forum, which is full of people willing to help :slight_smile:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.