Yes, certbot.
I don't yet have it set up to auto-reload config, so I have to remember to restart nginx every couple of months to reload the SSL config. I could set up a cron job for that I guess.
My domain cert setup script (
~/tools/letsencrypt.sh):
Code:
#!/bin/bash
if [ ! -n "$1" ]; then
echo "letsencrypt requires a fully qualified domain name (eg. example.com or example.com,www.example.com)"
exit 1;
fi
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ -d $1 --email simon@example.com
... I use this in conjunction with the nginx config below (a basic web server for the domain must be operating on port 80 using the letsencrypt snippet below).
My weekly cron task (
/etc/cron.weekly/certbot-auto):
Code:
#!/bin/sh
# run letsencrypt certbot weekly to renew expiring certificates
/opt/certbot/certbot-auto renew --non-interactive --webroot --agree-tos -w /srv/www/letsencrypt/ --email simon@example.com
My SSL snippet (
/etc/nginx/snippets/ssl.conf):
Code:
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000" always;
My LetsEncrypt snippet (
/etc/nginx/snippets/letsencrypt.conf):
Code:
location ~ /.well-known {
root /srv/www/letsencrypt;
allow all;
try_files $uri $uri/ =404;
}
My certs include (
/etc/nginx/ssl/mydomain.com.conf):
Code:
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
... I would have run the following command to generate the above pem files:
$ ~/tools/letsencrypt.sh mydomain.com,www.mydomain.com
Here is a real nginx config from one of my sites (
/etc/nginx/conf.d/somersoft.conf):
Code:
# main server: https://www.somersoft.com
# comment out this entire server block when installing cert for the first time
# certbot can use port 80 but SSL cert won't exist yet, so can't use 443
server {
server_name www.somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft.access.log;
error_log /var/log/nginx/somersoft.com/somersoft.error.log;
root /srv/www/somersoft.com;
include snippets/ssl.conf; # HTTPS IPv4 (SNI)
listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
include ssl/somersoft.com.conf;
include snippets/letsencrypt.conf;
include snippets/xenforo.conf;
}
# redirect naked domain https://somersoft.com => https://www.somersoft.com
# comment out this server block when installing cert for the first time
# certbot will use port 80 but SSL cert won't exist yet, so can't use 443
server {
server_name somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
include snippets/ssl.conf; # HTTPS IPv4 (SNI)
listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
include ssl/somersoft.com.conf;
include snippets/letsencrypt.conf;
return 301 https://www.somersoft.com$request_uri;
}
# redirect naked and www domains from http to https ...
# http://somersoft.com => https://www.somersoft.com
# http://www.somersoft.com => https://www.somersoft.com
# when installing SSL certs for the first time, letssencrypt will actually use this server block to connect on port 80!
server {
server_name www.somersoft.com somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
listen 80;
listen [2400:8901:e001:3d::103]:80; # IPv6
include snippets/letsencrypt.conf;
return 301 https://www.somersoft.com$request_uri;
}
... where (
/etc/nginx/ssl/somersoft.com.conf) contains:
Code:
ssl_certificate /etc/letsencrypt/live/somersoft.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/somersoft.com/privkey.pem;
... and the pem files at that location were generated using the following command:
Code:
$ ~/tools/letsencrypt.sh somersoft.com,www.somersoft.com
... just for completeness, here is the contents of the xenforo snippet mentioned in the nginx config (
/etc/nginx/snippets/xenforo.conf):
Code:
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
location /internal_data/ {
internal;
}
location /library/ {
internal;
}
include snippets/fastcgi.conf;