Migration from commercial SSL certificate to LetsEncrypt

[Mouth]

Has anyone with their site https only and using a commercial SSL certificate that is expiring shortly, migrated to a LetsEncrypt SSL certificate instead?
If so, any learnings or issues ... or a seamless transition?

 

[Neal]

I'm using two sites on LetsEncrypt and it's working flawlessly. Once my other sites using paid for SSL's expire i'll be moving them over.

I'm using Plesk, and LetsEncrypt have a free addon that installs the certificate and renews it automagically each month without annoying you. I think they have extensions for other control panels.

The initial install of the SSL was just a simple click of a button, much easier than paid for SSL's!

 

[eva2000]

lots of letsencrypt ssl testing certs for my Centmin Mod LEMP stack auto letsencrypt ssl integration via acmetool.sh addon

but only one live site for now https://mysqlmymon.com - nginx http/2 based HTTPS + letsencrypt ssl cert all auto generated via acmetool.sh addon

./acmetool.sh acme-menu

--------------------------------------------------------
        SSL Management
--------------------------------------------------------
1).  acemtool.sh install
2).  acmetool.sh update
3).  acmetool.sh setup
4).  Issue SSL Management
5).  Renew SSL Management
6).  Reissue SSL Management
7).  Renew All Staging /Test Certs
8).  Renew ALL Live Certs
9).  Renew All Live Certs HTTPS Default
10). Exit
--------------------------------------------------------
Enter option [ 1 - 10 ] 
--------------------------------------------------------

 

[Sim]

I have several dozen sites online using LetsEncrypt, including many which were previously using commercial SSL certs. That also includes all of my XenForo forums - each running happily behind a LE cert.

Once I got the config correct, I simply swapped over to the new LE certs and it was seamless.

I'm running Nginx with HTTP/2

One hint: don't forget to set up SAN for both naked and www versions of your domain so you can redirect using HTTPS if required.

 

[Mouth]

I'm running Nginx with HTTP/2

Are you using certbot?
I'm reading of alpha support with nginx, which is making me a little investigative
Can you recommend a good source article for getting the config correct with nginx?

 

[Sim]

Yes, certbot.

I don't yet have it set up to auto-reload config, so I have to remember to restart nginx every couple of months to reload the SSL config. I could set up a cron job for that I guess.

My domain cert setup script (~/tools/letsencrypt.sh):

#!/bin/bash

if [ ! -n "$1" ]; then
        echo "letsencrypt requires a fully qualified domain name (eg. example.com or example.com,www.example.com)"
        exit 1;
fi

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ -d $1 --email simon@example.com

... I use this in conjunction with the nginx config below (a basic web server for the domain must be operating on port 80 using the letsencrypt snippet below).


My weekly cron task (/etc/cron.weekly/certbot-auto):

#!/bin/sh
# run letsencrypt certbot weekly to renew expiring certificates

/opt/certbot/certbot-auto renew --non-interactive --webroot --agree-tos -w /srv/www/letsencrypt/ --email simon@example.com

My SSL snippet (/etc/nginx/snippets/ssl.conf):

listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000" always;

My LetsEncrypt snippet (/etc/nginx/snippets/letsencrypt.conf):

location ~ /.well-known {
   root /srv/www/letsencrypt;
   allow all;
   try_files $uri $uri/ =404;
}

My certs include (/etc/nginx/ssl/mydomain.com.conf):

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

... I would have run the following command to generate the above pem files: $ ~/tools/letsencrypt.sh mydomain.com,www.mydomain.com

Here is a real nginx config from one of my sites (/etc/nginx/conf.d/somersoft.conf):

# main server: https://www.somersoft.com
# comment out this entire server block when installing cert for the first time
# certbot can use port 80 but SSL cert won't exist yet, so can't use 443
server {
   server_name www.somersoft.com;
   access_log /var/log/nginx/somersoft.com/somersoft.access.log;
   error_log /var/log/nginx/somersoft.com/somersoft.error.log;
   root /srv/www/somersoft.com;

   include snippets/ssl.conf; # HTTPS IPv4 (SNI)
   listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
   include ssl/somersoft.com.conf;

   include snippets/letsencrypt.conf;

   include snippets/xenforo.conf;
}

# redirect naked domain https://somersoft.com => https://www.somersoft.com
# comment out this server block when installing cert for the first time
# certbot will use port 80 but SSL cert won't exist yet, so can't use 443
server {
   server_name somersoft.com;
   access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
   error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;

   include snippets/ssl.conf; # HTTPS IPv4 (SNI)
   listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
   include ssl/somersoft.com.conf;

   include snippets/letsencrypt.conf;

   return 301 https://www.somersoft.com$request_uri;
}

# redirect naked and www domains from http to https ...
# http://somersoft.com => https://www.somersoft.com
# http://www.somersoft.com => https://www.somersoft.com
# when installing SSL certs for the first time, letssencrypt will actually use this server block to connect on port 80!
server {
   server_name www.somersoft.com somersoft.com;
   access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
   error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;

   listen 80;
   listen [2400:8901:e001:3d::103]:80; # IPv6

   include snippets/letsencrypt.conf;

   return 301 https://www.somersoft.com$request_uri;
}

... where (/etc/nginx/ssl/somersoft.com.conf) contains:

ssl_certificate /etc/letsencrypt/live/somersoft.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/somersoft.com/privkey.pem;

... and the pem files at that location were generated using the following command:

$ ~/tools/letsencrypt.sh somersoft.com,www.somersoft.com

... just for completeness, here is the contents of the xenforo snippet mentioned in the nginx config (/etc/nginx/snippets/xenforo.conf):

location / {
   try_files $uri $uri/ /index.php?$uri&$args;
}

location /internal_data/ {
   internal;
}

location /library/ {
   internal;
}

include snippets/fastcgi.conf;

 

[Xon]

@Sim you can just reload nginx, it safely picks up the SSL changes atomically and on an error does nothing. Unlike apache which can outright crash on a reload with messed up SSL configuration.

 

[Sim]

yeah, I'll probably just add the following to my weekly renewal cron job

nginx -t && nginx -s reload

 

[Tracy Perry]

Unlike apache which can outright crash on a reload with messed up SSL configuration.

Tell ME about that... after 3 hours of working trying to get an Apache2/Webmin to recognize SSL for the default vhost I finally said "THWI" and only installed the certificate on the WebMin end of the system.