1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Migration from commercial SSL certificate to LetsEncrypt

Discussion in 'Server Configuration and Hosting' started by Mouth, Oct 11, 2016.

  1. Mouth

    Mouth Well-Known Member

    Has anyone with their site https only and using a commercial SSL certificate that is expiring shortly, migrated to a LetsEncrypt SSL certificate instead?
    If so, any learnings or issues ... or a seamless transition?
  2. Neal

    Neal Well-Known Member

    I'm using two sites on LetsEncrypt and it's working flawlessly. Once my other sites using paid for SSL's expire i'll be moving them over.

    I'm using Plesk, and LetsEncrypt have a free addon that installs the certificate and renews it automagically each month without annoying you. I think they have extensions for other control panels.

    The initial install of the SSL was just a simple click of a button, much easier than paid for SSL's!
    fly and Mouth like this.
  3. eva2000

    eva2000 Well-Known Member

    lots of letsencrypt ssl testing certs for my Centmin Mod LEMP stack auto letsencrypt ssl integration via acmetool.sh addon :)

    but only one live site for now https://mysqlmymon.com - nginx http/2 based HTTPS + letsencrypt ssl cert all auto generated via acmetool.sh addon :D

    ./acmetool.sh acme-menu
            SSL Management
    1).  acemtool.sh install
    2).  acmetool.sh update
    3).  acmetool.sh setup
    4).  Issue SSL Management
    5).  Renew SSL Management
    6).  Reissue SSL Management
    7).  Renew All Staging /Test Certs
    8).  Renew ALL Live Certs
    9).  Renew All Live Certs HTTPS Default
    10). Exit
    Enter option [ 1 - 10 ] 
    alegeek and Pierce like this.
  4. Sim

    Sim Well-Known Member

    I have several dozen sites online using LetsEncrypt, including many which were previously using commercial SSL certs. That also includes all of my XenForo forums - each running happily behind a LE cert.

    Once I got the config correct, I simply swapped over to the new LE certs and it was seamless.

    I'm running Nginx with HTTP/2

    One hint: don't forget to set up SAN for both naked and www versions of your domain so you can redirect using HTTPS if required.
    Neal and Mouth like this.
  5. Mouth

    Mouth Well-Known Member

    Are you using certbot?
    I'm reading of alpha support with nginx, which is making me a little investigative :)
    Can you recommend a good source article for getting the config correct with nginx?
  6. Sim

    Sim Well-Known Member

    Yes, certbot.

    I don't yet have it set up to auto-reload config, so I have to remember to restart nginx every couple of months to reload the SSL config. I could set up a cron job for that I guess.

    My domain cert setup script (~/tools/letsencrypt.sh):
    if [ ! -n "$1" ]; then
            echo "letsencrypt requires a fully qualified domain name (eg. example.com or example.com,www.example.com)"
            exit 1;
    /opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ -d $1 --email simon@example.com
    ... I use this in conjunction with the nginx config below (a basic web server for the domain must be operating on port 80 using the letsencrypt snippet below).

    My weekly cron task (/etc/cron.weekly/certbot-auto):
    # run letsencrypt certbot weekly to renew expiring certificates
    /opt/certbot/certbot-auto renew --non-interactive --webroot --agree-tos -w /srv/www/letsencrypt/ --email simon@example.com

    My SSL snippet (/etc/nginx/snippets/ssl.conf):
    listen 443 ssl http2;
    add_header Strict-Transport-Security "max-age=31536000" always;

    My LetsEncrypt snippet (/etc/nginx/snippets/letsencrypt.conf):
    location ~ /.well-known {
       root /srv/www/letsencrypt;
       allow all;
       try_files $uri $uri/ =404;

    My certs include (/etc/nginx/ssl/mydomain.com.conf):
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
    ... I would have run the following command to generate the above pem files: $ ~/tools/letsencrypt.sh mydomain.com,www.mydomain.com

    Here is a real nginx config from one of my sites (/etc/nginx/conf.d/somersoft.conf):

    # main server: https://www.somersoft.com
    # comment out this entire server block when installing cert for the first time
    # certbot can use port 80 but SSL cert won't exist yet, so can't use 443
    server {
       server_name www.somersoft.com;
       access_log /var/log/nginx/somersoft.com/somersoft.access.log;
       error_log /var/log/nginx/somersoft.com/somersoft.error.log;
       root /srv/www/somersoft.com;
       include snippets/ssl.conf; # HTTPS IPv4 (SNI)
       listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
       include ssl/somersoft.com.conf;
       include snippets/letsencrypt.conf;
       include snippets/xenforo.conf;
    # redirect naked domain https://somersoft.com => https://www.somersoft.com
    # comment out this server block when installing cert for the first time
    # certbot will use port 80 but SSL cert won't exist yet, so can't use 443
    server {
       server_name somersoft.com;
       access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
       error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
       include snippets/ssl.conf; # HTTPS IPv4 (SNI)
       listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
       include ssl/somersoft.com.conf;
       include snippets/letsencrypt.conf;
       return 301 https://www.somersoft.com$request_uri;
    # redirect naked and www domains from http to https ...
    # http://somersoft.com => https://www.somersoft.com
    # http://www.somersoft.com => https://www.somersoft.com
    # when installing SSL certs for the first time, letssencrypt will actually use this server block to connect on port 80!
    server {
       server_name www.somersoft.com somersoft.com;
       access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
       error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
       listen 80;
       listen [2400:8901:e001:3d::103]:80; # IPv6
       include snippets/letsencrypt.conf;
       return 301 https://www.somersoft.com$request_uri;

    ... where (/etc/nginx/ssl/somersoft.com.conf) contains:
    ssl_certificate /etc/letsencrypt/live/somersoft.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/somersoft.com/privkey.pem;

    ... and the pem files at that location were generated using the following command:
    $ ~/tools/letsencrypt.sh somersoft.com,www.somersoft.com

    ... just for completeness, here is the contents of the xenforo snippet mentioned in the nginx config (/etc/nginx/snippets/xenforo.conf):
    location / {
       try_files $uri $uri/ /index.php?$uri&$args;
    location /internal_data/ {
    location /library/ {
    include snippets/fastcgi.conf;
    Last edited: Oct 11, 2016
    Neal, Mouth, fly and 1 other person like this.
  7. Xon

    Xon Well-Known Member

    @Sim you can just reload nginx, it safely picks up the SSL changes atomically and on an error does nothing. Unlike apache which can outright crash on a reload with messed up SSL configuration.
    Tracy Perry likes this.
  8. Sim

    Sim Well-Known Member

    yeah, I'll probably just add the following to my weekly renewal cron job

    nginx -t && nginx -s reload
  9. Tracy Perry

    Tracy Perry Well-Known Member

Share This Page