Windows nginx help

Hi I’m trying to create a cert for home assitant on a Rpi3
And I already have nginx on my windows Which proxies all my usenet programs to my own domain with a paid ssl.

I’ve created a server block to link from mydomain directly to my RPI3 via a host domain through nginx which works, I would now like to add an SSL

I came across letsencrypt but Im really having issues setting it up.

I’ve installed letsencrypt-win-simple and ran the .exe

Here is what I’ve done

1. Added my email address
2. Agreed to the terms
3. Picked M install manually (as it didn’t find IIS)
4. Typed in my domain (host domain via no ip: home.mydomain.com)
5. Provided a folder link to my html
   now I don’t quite get this so I linked my main page to the server block, ran it and got this:

[INFO] Authorizing identifier home.mydomain.com using http-01 challenge
[INFO] Answer should now be browsable at http://home.mydomain.com/.well-known/acme-challenge/hV5ns2fuXGczUzAvGw0DmixhtcohmiItxZ4NXtSCV08
[INFO] Authorization result: valid
[INFO] Requesting certificate: home.mydomain.com
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\home.mydomain.com-crt.der
[INFO] Saving issuer certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\home.mydomain.com-all.pfx
[INFO] Installing Non-Central SSL Certificate in the certificate store
[INFO] Installing Non-Central SSL Certificate in server software
[WARN] Unable to configure server software.
[INFO] Removing certificate home.mydomain.com 2017/8/24 10:38:49 PM
[INFO] Closing certificate store
[INFO] Adding renewal for [Manual] [1 binding - home.mydomain.com @ C:\nginx-1.8.0\html]
[INFO] Creating task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with Windows Task scheduler at 9am every day.

5. I give it a username and password yet it fail and asks if I want to start again (don’t know If that matter)

Now when I check the following folder C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

I see the following files.
ca-0A0141420000015385736A0B85ECA708-crt.der
ca-0A0141420000015385736A0B85ECA708-crt.pem
home.mydomain.com-all.pfx
home.mydomain.com-chain.pem
home.mydomain.com-crt.der
home.mydomain.com-crt.pem
home.mydomain.com-csr.pem
home.mydomain.com-gen-csr.json
home.mydomain.com-gen-key.json
home.mydomain.com-key.pem
Registration
Signer

Have I created them correctly and which ones are needed for nginx?

Many thanks

Hi @phairplay,

I haven’t used letsencrypt-win-simple but it’s sure being thorough about what different applications might potentially want. The relevant files for nginx are

home.mydomain.com-chain.pem ← certificate chain (intermediate certificate)
home.mydomain.com-crt.pem ← your certificate (end-entity certificate)
home.mydomain.com-key.pem ← your private key

However, apparently nginx wants you to combine the certificate and chain into one file (in Certbot we call that “full chain”, but letsencrypt-win-simple possibly did not create it). At that point, you can tell nginx where to find the full chain and the private key:

https://nginx.org/en/docs/http/configuring_https_servers.html

It’s possible that home.mydomain.com-crt.pem might already contain the chain certificate. If you look at the contents of that file, there will either be one block that starts -----BEGIN CERTIFICATE----- or two such blocks. If there are two, then it’s pre-combined and you could just point nginx to that file as the ssl_certificate.

When you get it set up correctly, you may also want to think about what will happen with certificate expiry and renewal. Remember that Let’s Encrypt certificates expire after 90 days.

Thank you for the quick response.
I’ll Now the chain file did have everything I need (along with the key). I’ll start looking into how to auto create a renewal

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.